linux security - Jun 1998 - Help with : telnetd[...]: ttloop: peer died: Success

What can cause this
	telnetd[...]: ttloop:  peer died: Success

I''ve had several occurrences of this entry along with connections from
somewhere where no-one should be accessing my machine (via telnet)

also around same time frame :
(from tcpdump)
	activity to a port 234 at various IP addresses 
	udp port biff unreachable 

I (a novice at *nix) believe some has been accessing my machine and using
it to hide their identity and am looking for (URLs?) for information on how
find out what this person(s?) are upto, and how they are going about it.

I have discovered that "top" no longer will display any task activity.

I use the machine as an IP forwarder for a few other machines on a small
LAN.  (IP forwarding is enabled)

The Linux was installed from the latest version of Caldera Lite ( a few
months ago) Kernel version : 2.0.33

It is connected usually 24hours a day via a dynamic IP connection using
dynip.com to provide a static address to find the machine.

Obviously I could not use dynip and most likely stop the access, but dynip
has it use for me.


tia,
Eagle One

On Sun, 14 Jun 1998, Eagle One wrote:
> What can cause this
> 	telnetd[...]: ttloop:  peer died: Success
Being port-scanned might cause this.  In /var/log/secure there ought to be
a telnetd entry to correspond to this.  (i.e. same date and PID.)  It
should have the IP address the connection was initiated from.
> I have discovered that "top" no longer will display any task
activity.
This is worrisome.  Maybe your new friend got in.  Were you up to date on
the latest security fixes?  I would recommend a fresh install, personally.
Also, do "ps aux" and look for any weird processes.

- Kevin Vajk
  <kvajk@ricochet.net>

In message
<Pine.LNX.3.96.980615084829.18085C-100000@darkstar.localdomain>,
Kev
in Vajk writes:
+-----
| Also, do "ps aux" and look for any weird processes.
+--->8

If he''s got nocturnal visitors, they may have replaced ps.  Try this
instead:

#! /usr/bin/perl
opendir(D, ''/proc'');
while (defined ($_ = readdir(D))) {
    next unless /^\d+$/;
    open(F, "/proc/$_/cmdline") || next;
    local($/) = "\0";
    $did = 0;
    while (defined ($l = <F>)) {
	chomp;
	print "$_: " unless $did++;
	print $l;
    }
    close(F);
    print "$_: (none)" unless $did;
    print "\n";
}
closedir(D);

It''s not perfect, but it''s small and easy to use --- and easy
to see if they
changed it :-)
-- 
brandon s. allbery	   [team os/2][linux][japh]	 allbery@kf8nh.apk.net
system administrator, ece facilities			   allbery@ece.cmu.edu
carnegie mellon university			   (bsa@kf8nh is still valid.)

Those with this sort of problem should investigate check-ps-1.2. It is 
offocialyy alpha but seems to work reliably. The licence is GPL. This
will check ps against hacking every 5 minutes or work in one-shot mode. Any 
p[ids not list can be killed if you wish. A fd exploer is included which will 
tell you both ends of all the network cnnections, which files are open and so 
forth. Naturally anti-race code is included. Daemon mode can use email to 
another machine and hacks all the process name information to httpd.

?Interest parties are invited to obtain a copy by anonymous ftp from 
mars.astar.co.uk in the pub/word2x directory. The latest version is 
check-ps-1.2alpah2.tar.gz (source, with GNU autoconf script).

-- 
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."

>Those with this sort of problem should investigate check-ps-1.2. It is 
>offocialyy alpha but seems to work reliably. The licence is GPL. This
>will check ps against hacking every 5 minutes or work in one-shot mode.
and what happens if hackers replace check-ps-1.2 too?
Stefan

-- 
Stefan Simko, EUnet Slovakia, Kutlikova 17, phone:  +421-7-5876111
E-mail:    stefan@eunet.sk, PGP available at WWW:  http://www.eunet.sk/stefan/

-----BEGIN PGP SIGNED MESSAGE-----



Sorry to follow up my own post but the last one got the machine to ftp 
check-ps from wrong.

The real information is the latest version of check-ps is avaialble by 
anonymous ftp mars.astra.co.uk in the pub/word2x in the file 
check-ps-1.2alpha.tar.gz. Note the change to astar (wrong, astar.co.uk does 
not exist AFAIK) to astra (correct, astra.co.uk does exist and their is a 
machine called mars around in that domain). As insurance against further 
misdeeds of my fingers another name for the same box is word2x.astra.co.uk (as 
in the word2x website).


- -- 
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBNYqHG84kG9UPwSZpAQFGUwQAp9osrGFUF9z/O/k3Zdy6walJt/kJtuVN
ffZl3LJ0hM7Bw7vZySMxpErHhr3JN6Nedbn8Mi6Yi07gEXcLUAaIpbOeBMx1a6Ut
sPQeaJwD7tX5wsL9RI6j78e9TfAT8auL9crWGk986OO/rSFlE8IpXGoB8+uusY8u
NpVWqHHAC98=h6xx
-----END PGP SIGNATURE-----