Last night I came home from work and sat down at the computer. I
noticed the lights on the DSL router were blinking very rapidly. I have
an ftp server running on my linux box (Slackware 10.2). So I thought
someone might have been uploading something.
Ftpwho showed no users logged in. I checked the incoming directory and
saw nothing there.
Tcpdump showed me that they were sending something using ssh.
I used find to look for anything they might have been uploading, but
found nothing.
/var/log/syslog contained the following over and over for about 4 hours
before I got home
Feb 22 20:43:56 ladmo smbd[6375]: [2007/02/22 20:43:56, 0]
printing/print_cups.c:cups_cache_reload(85)
Feb 22 20:43:56 ladmo smbd[6375]: Unable to connect to CUPS server
localhost - Connection refused
Then I found in /var/log/syslog this over and over
Feb 21 22:11:14 ladmo sshd[26255]: error: Could not get shadow
information for NOUSER
I stopped sshd and edited /etc/sshd_config by adding the following:
AllowUsers root jim
AllowGroups root
To test the change, I tried to log into the server via ssh and using
another account. It wouldn't let me log in using that other account via
ssh.
I also tried
find / -mmin 1200 -size +100k
and without the size option, but found nothing from the time this was
going on.
After all this I tried to send an email, but sendmail wasn't working. I
backed up my sendmail config files, uninstalled sendmail, reinstalled it
and restored the config files. Sendmail worked after that.
Is there anything else I should do?
thanks
--
"That income tax you know it's nothing more than legal robbery"
Sidney "Pa" Larkin
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)