I've noticed an entry in my system log
Jul 12 19:42:49 theboss xinetd[1718]: START: pop3 pid=16462 from=69.56.196.234

That ip is not mine. nor have I rebooted my system lately or loaded any s/w, so I have not started "pop3".
Running RedHat 9.

Assuming someone has gotten into my system, anyway to tell HOW they got in, or what they have changed?

Reg

I've noticed an entry in my system log
Jul 12 19:42:49 theboss xinetd[1718]: START: pop3 pid=16462 from=69.56.196.234

That ip is not mine. nor have I rebooted my system lately or loaded any s/w, so I have not started "pop3".
Running RedHat 9.

Assuming someone has gotten into my system, anyway to tell HOW they got in, or what they have changed?

Reg

You're a little light on for details.

Have you applied all the patches that are available for RedHat9?

Is your modem/router in bridged mode (your linux box doing the ppp authentiation)?

Do you run any firewall on the linux box - eg IPTables?

A host based IDS (Intrusion Detection System) is a good way to ensure that if system files have been modified, added or removed, you'll know about it.

If your system has been broken into, there's a whole bunch of ways it could have happened. My suggestion is to grab chrootkit (checks for rootkits) and install/run it. It can be found at http://www.chkrootkit.org/

Check your /var/log/messages /var/log/secure files to see if the hacker left any log entries.

The bottom line is that if you have been hacked, the operating system is unlikely to run the same. Try to find out how you got hacked and learn from it. The only way to ensure they don't come back is to reformat/reinstall and close the method of entry.

Originally posted by sticky_chicken
You're a little light on for details.

Have you applied all the patches that are available for RedHat9?

I applied all of the updates from RedHat, up until the time that they stopped doing it.


Is your modem/router in bridged mode (your linux box doing the ppp authentiation)?

Its in router mode. My linux box just hangs off a hub.

Do you run any firewall on the linux box - eg IPTables?
At the moment I only rely on the (Netcomm NB1300) routers NAT for protection. IPTABLES are on my "todo" list.

A host based IDS (Intrusion Detection System) is a good way to ensure that if system files have been modified, added or removed, you'll know about it.

If your system has been broken into, there's a whole bunch of ways it could have happened. My suggestion is to grab chrootkit (checks for rootkits) and install/run it. It can be found at http://www.chkrootkit.org/
I will go get a copy of that.

Check your /var/log/messages /var/log/secure files to see if the hacker left any log entries.
I found the following in my mail logs

Jul 12 19:42:49 theboss ipop3d[16462]: pop3 service init from UNKNOWN
Jul 12 19:42:49 theboss ipop3d[16462]: Command stream end of file while reading line user=??? host=UNKNOWN

I'm begining to think that it was only someone connecting to my POP server looking for a Microsoft hole.

The bottom line is that if you have been hacked, the operating system is unlikely to run the same. Try to find out how you got hacked and learn from it. The only way to ensure they don't come back is to reformat/reinstall and close the method of entry.

I was thinking of redoing my server using Fedora Core. Looks like I will need to bring that project forward now.

Thanks for your suggestions.
Reg

Firstly, disable services you dont need, this holds true for any OS in general.

In RH, use

> chkconfig --list

to see the services you have running. xinetd is unique in that its a 'super server', it controls a number of other server processes, among which is the popd and imapd used by the University of Washington email software, uw-imap ( simply called 'imap' in RH ).

To disable things ( ipop3 for example, this is the service you mentioned had been connected to )

> chkconfig ipop3 off

This will stop this starting at bootup. In the case of the xinetd sub-processes, this particular one will be disabled only. You can turn off xinetd entirely if you wish, this ensures that none of its sub-processes will be running.

> chkconfig xinetd off

will stop xinetd and all its subprocesses from running at bootup in future. If you feel the need to turn anything back on again, replace 'off' with 'on' in the above command. Run chkconfig --list again to ensure what should be off is off.

Next, if you are running off a hub/switch with your ADSL in routed mode, no internet host should be able to connect to your internal networks systems ports at all. Check for port-forwarding rules on your router. Perhaps all traffic for your external IP address is redirected and NAT'ed to the internal IP address of your RH9 box, meaning it is esentially live and unfirewalled on the net! Check this before you do anything else..

Lastly, you can still get updates for RH9, though they are not official RH packages. The Fedora Legacy project ( http://www.fedoralegacy.org/ ) maintains these, though it is a community project, with no assurance that it will be maintained for any given period of time.

Incidentally, the IP address you logged is:

234.196.56.69.in-addr.arpa domain name pointer websouls04.futuresouls.com

belonging to the following ISP ( based in Texas, USA ):

OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 1333 North Stemmons Freeway
Address: Suite 110
City: Dallas
StateProv: TX
PostalCode:75207
Country: US

HTH.

Another item that is often missed is that you can setup the system so only known hosts are allowed to connect to your services.

If you know the range of IPs or specific IPs you can restrict all your services to these.

IPtables is one method.....

However you may find that TCP_Wrappers (http://www.faqs.org/docs/linux_network/x-087-2-appl.tcpd.html) is all you require.

In this case it's likely your POP3 service is running out of xinetd.

Take a read of: Xinetd FAQ (http://www.xinetd.org/faq.html#libwrap)

You will find the file(s) you need to edit here:


chkconfig --list |grep pop
ipop2: off
ipop3: on
pop3s: on

cd /etc/xinetd.d


You now edit any file that contained the phrase 'on' above.

Then look at the /etc/hosts.allow and /etc/hosts.deny file.

Simple and effective. You'll also find it will log attempts via syslog. :)
You will find that Redhat actually has information on TCP Wrappers and xinetd (http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-tcpwrappers.html) avaliable for you.