I have a stand-alone machine, with dialup ppp connection (using diald). I think someone was trying to hack me today, and I'd like advice on how to find out whether they succeded, and what to do about it. I'd also appreciate suggestions on the easiest way to prevent, or at least monitor, such activity in the future.
Here's what I saw. I noticed something when diald was keeping the link up unexpectedly. I found the following in the diald packet queue: ttl 14, 1 - 164.58.201.227/257 => 207.244.200.40/257 (tcp state ([0,0] 0,0)) ttl 104, 17 - 164.58.201.227/28800 => 207.244.200.40/28800 (tcp state ([0,0] 0,0)) The destination address (207.244.200.40) was me. Running host on the source address produced: Name: line-1.Duncan.dialup.onenet.net Address: 164.58.201.227 which is totally unfamiliar to me. I looked in /etc/services for tcp port 257, but there was no listing. Is there an allowed use for that port? I also thought it odd that both source and destination ports were the same, and that a host had apparently initiated a connection to my machine on a non-well-known port. Is there any way to tell if these connections really succeded, and if so what they did? I looked in various files in /var/log, but didn't see anything unusual. The only security service I'm running is courtney, though I've never quite figured out what it looks for, or where it reports what it finds. Thanks for any help. -- David Zelinsky [EMAIL PROTECTED]
