Telnet Attack

From: Andreas Höschler (ahoesch@smartsoft.de)
Date: Mon Aug 27 2007 - 07:01:38 EDT


Dear managers,

it was stated that a telnet attack was started from a Solaris 10
machine I am responsible for. I doubt that. However, I got the
following log file:

Event Date Time, Destination IP, IP Protocol, Target Port, Issue
Description, Source Port, Event Count
EventRecord: 26 Aug 2007 02:26:37, 199.17.x.x, 6, 23, Telnet
                                 , 50593, 1
EventRecord: 26 Aug 2007 02:26:27, 199.17.x.x, 6, 23, Telnet
                                 , 50331, 2
EventRecord: 26 Aug 2007 02:26:17, 199.17.x.x, 6, 23, Telnet
                                 , 50064, 2
EventRecord: 26 Aug 2007 02:26:07, 199.17.x.x, 6, 23, Telnet
                                 , 49797, 2
EventRecord: 26 Aug 2007 02:25:57, 199.17.x.x, 6, 23, Telnet
                                 , 49530, 2
EventRecord: 26 Aug 2007 02:25:50, 199.17.x.x, 6, 23, Telnet
                                 , 49264, 1
EventRecord: 26 Aug 2007 02:25:47, 199.17.x.x, 6, 23, Telnet
                                 , 49264, 1
EventRecord: 26 Aug 2007 02:25:40, 199.17.x.x, 6, 23, Telnet
                                 , 49001, 1
EventRecord: 26 Aug 2007 02:25:37, 199.17.x.x, 6, 23, Telnet
                                 , 49001, 1
EventRecord: 26 Aug 2007 02:25:27, 199.17.x.x, 6, 23, Telnet
                                 , 48740, 2
EventRecord: 26 Aug 2007 02:25:17, 199.17.x.x, 6, 23, Telnet
                                 , 48483, 2
EventRecord: 26 Aug 2007 02:25:07, 199.17.x.x, 6, 23, Telnet
                                 , 48216, 2
EventRecord: 26 Aug 2007 02:24:57, 199.17.x.x, 6, 23, Telnet
                                 , 47948, 2
...

Now I am sure that no legitimate user has been on this machine at this
time. I have blocked outgoing traffic on port 23 in the meanwhile.
However, I would like to either prove that the above record is
wrong/faked (not really coming from my machine) or find out which
process did that and who has started it. Since I am more a developer
than a sysadmin I am rather clueless what to do now. The machine is
running ipfilter.

        ipmon -an

seems to give me an overview of the traffic that is going on. But I of
course see no current attempts to access any machine on port 23. Can I
configure ipfilter to give me the processId of the process that is
initiating outgoing traffic? What other tools can I use to figure out
what was going on yesterday night? The machine can be reached via ssh
(inbound), all other ports are blocked.

Hints are greatly appreciated!

Thanks a lot in advance!

Regards,

   Andreas
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers



This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:42:15 EDT