Re: Someone hacking via gnome?

From: Mark Volpe <volpe mark epamail epa gov>
To: "Jesse F. Hughes" <jesse andrew cmu edu>
Cc: Gnome mailing list <gnome-list gnome org>
Subject: Re: Someone hacking via gnome?
Date: Tue, 15 Aug 2000 11:11:59 -0400
Looks like you've been portscanned. What version of GNOME
are you using? Ever since I upgraded to helix's distribution
it doesn't open up ports anymore. Set up a basic firewall with:

ipchains -A input -i ppp0 -p tcp -y -l -j DENY

You may have to change ppp0 to whatever interface you are using.
This command will deny all connection attempts to your machine, while
letting your connection work normally. You can find more sophisticated
firewall
on the net. I use the one that came with the Roaring Penguin PPPoE package
(www.roaringpenguin.com). There are others, but their locations escape me
at the moment.

Good Luck,
Mark

"Jesse F. Hughes" wrote:
> 
> This morning, I found gnome applications crashing.  Finally I
> rebooted, and then noticed this in the messages file:
> 
> Aug 15 09:56:52 phiwumbda identd[28134]: Connection from 206.79.84.73
> Aug 15 09:56:53 phiwumbda in.telnetd[28129]: connect from 206.79.84.73
> Aug 15 09:56:53 phiwumbda wu.ftpd[28128]: connect from 206.79.84.73
> Aug 15 09:56:53 phiwumbda identd[28134]: from: 206.79.84.73 (206.79.84.73) EMPTY REQUEST
> Aug 15 09:56:53 phiwumbda in.fingerd[28131]: connect from 206.79.84.73
> Aug 15 09:56:53 phiwumbda sendmail[28130]: NOQUEUE: Null connection from [206.79.84.73]
> Aug 15 09:56:53 phiwumbda in.pop3d[28132]: connect from 206.79.84.73
> Aug 15 09:56:53 phiwumbda imapd[28135]: connect from 206.79.84.73
> Aug 15 09:56:58 phiwumbda telnetd[28129]: ttloop: peer died: EOF
> Aug 15 09:56:58 phiwumbda imapd[28135]: Command stream end of file, while reading line user=??? host=[206.79.84.73]
> Aug 15 09:57:05 phiwumbda ftpd[28128 FTP session closed
> Aug 15 09:57:34 phiwumbda in.telnetd[28136]: connect from 206.79.84.73
> Aug 15 09:58:34 phiwumbda wu.ftpd[28138]: connect from 206.79.84.73
> Aug 15 09:58:49 phiwumbda ftpd[28138]: ANONYMOUS FTP LOGIN FROM 206.79.84.73 [206.79.84.73], ddfsasdf@hi.com
> Aug 15 10:00:00 phiwumbda ftpd[28138]: FTP session closed
> Aug 15 10:00:09 phiwumbda wu.ftpd[28148]: connect from 206.79.84.73
> Aug 15 10:00:09 phiwumbda in.telnetd[28149]: connect from 206.79.84.73
> Aug 15 10:00:09 phiwumbda identd[28154]: Connection from 206.79.84.73
> Aug 15 10:00:10 phiwumbda sendmail[28150]: NOQUEUE: Null connection from [206.79.84.73]
> Aug 15 10:00:10 phiwumbda in.fingerd[28151]: connect from 206.79.84.73
> Aug 15 10:00:10 phiwumbda identd[28154]: from: 206.79.84.73 (206.79.84.73) EMPTY REQUEST
> Aug 15 10:00:10 phiwumbda in.pop3d[28152]: connect from 206.79.84.73
> Aug 15 10:00:11 phiwumbda imapd[28155]: connect from 206.79.84.73
> Aug 15 10:00:11 phiwumbda telnetd[28149]: ttloop: peer died: EOF
> Aug 15 10:00:12 phiwumbda imapd[28155]: Command stream end of file, while reading line user=??? host=[206.79.84.73]
> Aug 15 10:00:15 phiwumbda in.rlogind[28156]: connect from 206.79.84.73
> Aug 15 10:00:15 phiwumbda in.rshd[28157]: connect from 206.79.84.73
> Aug 15 10:00:15 phiwumbda rshd[28157]: Connection from 206.79.84.73 on illegal port
> Aug 15 10:00:16 phiwumbda rlogind[28156]: Connection from 206.79.84.73 on illegal port
> Aug 15 10:00:16 phiwumbda ftpd[28148]: FTP session closed
> Aug 15 10:00:21 phiwumbda gmc: [orbit] connect from 206.79.84.73
> Aug 15 10:00:21 phiwumbda multiload_applet: [orbit] connect from 206.79.84.73
> Aug 15 10:00:21 phiwumbda mixer_applet: [orbit] connect from 206.79.84.73
> Aug 15 10:00:21 phiwumbda gnomexmms: [orbit] connect from 206.79.84.73
> Aug 15 10:00:21 phiwumbda another_clock_applet: [orbit] connect from 206.79.84.73
> Aug 15 10:00:21 phiwumbda cdplayer_applet: [orbit] connect from 206.79.84.73
> Aug 15 10:01:39 phiwumbda gnome-name-server[28112]: input condition is: 0x10, exiting
> Aug 15 10:02:46 phiwumbda gnome-name-server[28224]: starting
> Aug 15 10:02:46 phiwumbda gnome-name-server[28224]: name server starting
> Aug 15 10:05:55 phiwumbda gnome-name-server[28224]: input condition is: 0x10, exiting
> 
> Since I use a dynamic IP, the attacks stopped after rebooting.  The
> little shit lost me.
> 
> The child seems incapable of being more than a nuisance to me, but
> what is he connecting to via gnome?  Is there anything serious he can
> do?  How can I keep him out?
> 
> Thanks.
> --
> Jesse Hughes
> "She testified they had sex near the Oval Office, not in the famous
> room itself, because that `wouldn't be appropriate, you know.'"
>                                          -AP article
> 
> _______________________________________________
> gnome-list mailing list
> gnome-list@gnome.org
> http://mail.gnome.org/mailman/listinfo/gnome-list
Follow-Ups:
- Re: Someone hacking via gnome?
  - From: Jesse F. Hughes
References:
- Someone hacking via gnome?
  - From: Jesse F. Hughes
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]