paranoïa

Page principale

Répondre à ce message
Auteur: Nicolas Rougnon-Glasson
Date:  
À: Guilde liste
Sujet: paranoïa
à force de lire des histoires d'intrusion et de changement de mot de
passe root, je vire parano...

Hier soir je fais un "apt-get -u dist-upgrade", pour passer de Woody à
Sarge. Première frayeur lorsqu'on me demande s'il faut remplacer ou
conserver les fichiers /etc/pam.d/other, /etc/pam.d/login,
/etc/pam.d/passwd, qui ont été modifié soit à la main soit par un
script. Apparemment sans gravité.

Aujourd'hui, je démarre ma bécane, et après quelques minutes je vais
faire un tour dans /var/log/syslog, pour constater d'éventuels dégats
causés par l'opération de la veille. Et là je trouve ça :


Apr 26 19:10:09 gronkymachine identd[473]: started
Apr 26 19:10:09 gronkymachine in.telnetd[481]: connect from 66.140.25.156
Apr 26 19:10:12 gronkymachine in.telnetd[482]: connect from 66.140.25.156
Apr 26 19:10:38 gronkymachine telnetd[482]: ttloop: peer died: EOF
Apr 26 19:10:38 gronkymachine telnetd[481]: ttloop: peer died: EOF


Et d'abord c'est qui ce "66.140.25.156" ?
Sur ce, je fais une recherche dans tout /var/log/syslog de "connect".
Après filtrage de tous les messages sans intérêt, il reste ça :


Feb 16 20:47:33 gronkymachine in.ftpd[2623]: connect from 196.41.11.253
Feb 17 00:33:50 gronkymachine in.ftpd[650]: connect from 80.11.172.160
Mar 19 21:50:42 gronkymachine in.fingerd[974]: connect from 81.51.196.47
Mar 19 21:50:47 gronkymachine fingerd[974]: Client hung up - probable
port-scan
Mar 23 00:52:04 gronkymachine in.ftpd[498]: connect from 81.53.30.100
Mar 23 00:52:04 gronkymachine in.qpopper[500]: connect from 81.53.30.100
Mar 23 00:52:05 gronkymachine in.qpopper[500]: (null) at
AGrenoble-203-1-15-100.abo.wanadoo.fr (81.53.30.100): -ERR POP EOF or
I/O Error [popper.c:820]
Mar 27 16:10:11 gronkymachine in.ftpd[611]: connect from 213.124.13.130
Mar 27 16:27:32 gronkymachine in.ftpd[616]: connect from 198.30.138.29
Apr 1 21:30:11 gronkymachine in.ftpd[858]: connect from 200.177.103.90
Apr 8 01:04:42 gronkymachine identd[476]: started
Apr 8 01:04:43 gronkymachine in.telnetd[484]: connect from 66.140.25.157
Apr 8 01:04:46 gronkymachine in.telnetd[485]: connect from 66.140.25.157
Apr 8 01:05:13 gronkymachine telnetd[485]: ttloop: peer died: EOF
Apr 8 01:05:13 gronkymachine telnetd[484]: ttloop: peer died: EOF
Apr 10 02:55:54 gronkymachine identd[509]: started
Apr 10 03:00:32 gronkymachine in.telnetd[519]: connect from 66.140.25.157
Apr 10 03:00:35 gronkymachine in.telnetd[520]: connect from 66.140.25.157
Apr 10 03:01:02 gronkymachine telnetd[520]: ttloop: peer died: EOF
Apr 10 03:01:02 gronkymachine telnetd[519]: ttloop: peer died: EOF
Apr 10 22:54:09 gronkymachine identd[453]: started
Apr 10 23:16:14 gronkymachine in.telnetd[517]: connect from 66.140.25.157
Apr 10 23:16:17 gronkymachine in.telnetd[518]: connect from 66.140.25.157
Apr 10 23:16:43 gronkymachine telnetd[518]: ttloop: peer died: EOF
Apr 10 23:16:43 gronkymachine telnetd[517]: ttloop: peer died: EOF
Apr 12 18:38:21 gronkymachine identd[457]: started
Apr 12 18:38:22 gronkymachine in.telnetd[465]: connect from 66.140.25.157
Apr 12 18:38:25 gronkymachine in.telnetd[466]: connect from 66.140.25.157
Apr 12 18:38:51 gronkymachine telnetd[466]: ttloop: peer died: EOF
Apr 12 18:38:51 gronkymachine telnetd[465]: ttloop: peer died: EOF
Apr 19 00:51:50 gronkymachine identd[725]: started
Apr 19 00:51:51 gronkymachine in.telnetd[733]: connect from 66.140.25.157
Apr 19 00:51:54 gronkymachine in.telnetd[734]: connect from 66.140.25.157
Apr 19 00:52:20 gronkymachine telnetd[734]: ttloop: peer died: EOF
Apr 19 00:52:20 gronkymachine telnetd[733]: ttloop: peer died: EOF
Apr 19 00:52:41 gronkymachine in.telnetd[736]: connect from 66.140.25.157
Apr 19 00:52:44 gronkymachine in.telnetd[737]: connect from 66.140.25.157
Apr 19 01:48:12 gronkymachine in.ftpd[803]: connect from 203.72.61.47
Apr 22 00:35:39 gronkymachine identd[449]: started
Apr 22 00:35:42 gronkymachine in.telnetd[457]: connect from 66.140.25.157
Apr 22 00:35:45 gronkymachine in.telnetd[460]: connect from 66.140.25.157
Apr 22 00:36:11 gronkymachine telnetd[460]: ttloop: peer died: EOF
Apr 22 00:36:11 gronkymachine telnetd[457]: ttloop: peer died: EOF
Apr 23 03:11:56 gronkymachine in.telnetd[616]: connect from 66.140.25.157
Apr 23 03:11:59 gronkymachine in.telnetd[617]: connect from 66.140.25.157
Apr 23 03:12:52 gronkymachine telnetd[617]: ttloop: peer died: EOF
Apr 23 03:12:52 gronkymachine telnetd[616]: ttloop: peer died: EOF
Apr 25 00:08:58 gronkymachine identd[470]: started
Apr 25 00:08:59 gronkymachine in.telnetd[478]: connect from 66.140.25.157
Apr 25 00:09:02 gronkymachine in.telnetd[480]: connect from 66.140.25.157
Apr 25 00:09:28 gronkymachine telnetd[480]: ttloop: peer died: EOF
Apr 25 00:09:28 gronkymachine telnetd[478]: ttloop: peer died: EOF
Apr 26 04:11:24 gronkymachine identd[17662]: started
Apr 26 04:12:08 gronkymachine in.telnetd[17672]: connect from 66.140.25.156
Apr 26 04:12:11 gronkymachine in.telnetd[17673]: connect from 66.140.25.156
Apr 26 04:12:37 gronkymachine telnetd[17673]: ttloop: peer died: EOF
Apr 26 04:12:37 gronkymachine telnetd[17672]: ttloop: peer died: EOF


Comme mesure de rétorsion, j'ai rien trouvé de mieux que de "purger"
telnetd, ftpd, fingerd et qpopper.
Vos avis sur tout ça ? Je psychote ou y a du danger ?

A+
N.