LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
LinkBack Search this Thread
Old 09-03-2002, 09:09 AM   #1
rbumann
LQ Newbie
 
Registered: Sep 2002
Posts: 6

Rep: Reputation: 0
Unhappy telnet - connection closed by foreign host


I am having trouble telneting to my Linux host. The configuration hasn't changed and I used to be able to telnet to the machine with no problems. Below is the output from a Terminal window running local on the Linux host. It appears to login successfully and then the connection is closed by the foreign host.

# telnet hostname
Trying 192.48.100.188...
Connected to hostname
Escape character is '^]'.

Red Hat Linux release 7.0 (Guinness)
Kernel 2.2.16-22 on an i586
login: username
Password: *****
Last Login: Sat Aug 31 14:01:01 from hostname
Connection closed by foreign host.
#
 
Old 09-03-2002, 10:27 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,344

Rep: Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945
well what do the logs say on the server machine?
 
Old 09-03-2002, 11:15 AM   #3
rbumann
LQ Newbie
 
Registered: Sep 2002
Posts: 6

Original Poster
Rep: Reputation: 0
Here is some log info from /var/log/secure and /var/log/messages. Is there other log info that I'm missing?

/var/log/secure
-------------------
Sep 3 11:00:09 mailsrv xinetd[863]: START: telnet pid=23094 from=192.48.100.164

/var/log/messages
------------------------
Sep 3 10:52:53 mailsrv PAM_unix[22800]: (system-auth) session opened for user sammy1 by (uid=0)

Sep 3 10:52:53 mailsrv -- sammy1[22800]: LOGIN ON pts/5 BY sammy1 FROM mailsrv

Sep 3 10:52:53 mailsrv PAM_unix[22800]: (system-auth) session closed for user sammy1
 
Old 09-03-2002, 05:05 PM   #4
badjooda
LQ Newbie
 
Registered: Aug 2002
Posts: 9

Rep: Reputation: 0
100% sure nothing has changed?
DO you run a chkrootkit cron job daily? chkrootkit.org
New host box?, do other boxes telnet in?
Checked hosts allow?
Checked running services?
Firewalling problems?
 
Old 09-04-2002, 07:52 AM   #5
born4linux
Senior Member
 
Registered: Sep 2002
Location: Philippines
Distribution: Slackware, RHEL&variants, AIX, SuSE
Posts: 1,127

Rep: Reputation: 49
run this:

finger username

make sure that he has a shell value (i.e. /bin/bash) and not /bin/nologin
 
Old 09-04-2002, 08:08 AM   #6
rbumann
LQ Newbie
 
Registered: Sep 2002
Posts: 6

Original Poster
Rep: Reputation: 0
This is the output of:

# finger sammy1

Login: sammy1 Name: Sammy
Directory: /home/sammy1 Shell: /bin/bash
Last login Tue Sep 3 11:00 (CDT) on pts/5 from mailsrv
New mail received Tue Sep 3 16:56 2002 (CDT)
Unread since Tue Sep 3 14:41 2002 (CDT)
No Plan.
 
Old 09-04-2002, 08:18 AM   #7
rbumann
LQ Newbie
 
Registered: Sep 2002
Posts: 6

Original Poster
Rep: Reputation: 0
I download the chkrootkit program from chkrootkit.org. It explains that the chkrootkit program uses the commands awk, cust, egrep, etc... and that one should use the -p option to point to a directory of good binaries.

Is there a way to easily extract these from CD or some other location?

I ran the command :
# chkrootkit ps

It returned:
ROOTDIR is `/'
Checking `ps' ... INFECTED

I didn't want run the command against all the tests until I knew I had a clean set of command files.
 
Old 09-04-2002, 12:46 PM   #8
badjooda
LQ Newbie
 
Registered: Aug 2002
Posts: 9

Rep: Reputation: 0
Smile

Seems like your cherry has been popped!

Got your 7.0 Redhat ISO's handy?

GOT your bootable floppy?

If no to all of the above create a boot floppy from Either
RedHats's site or a TOM's root boot.

then boot from floppy (disconnect the stinkin nic cable)
and you'll need to reload each infected program
from the orginial CD's.

If your a true newbie maybe wiping completely and starting
over with RedHat 7.3 is a better suggestion.

Hopefully you'll run Secure shell in the future and not
Telnet. (telnet sends your username and password in
clear text for anybody to sniff). try www.openssh.org
instead. or load the Redhat ssh rpm.

You don't run most things as root do you?
You should run them as you (username) and only su to root,
if needed.

Also think about installing Bastille. It hardens your OS for you.
Another program. www.bastille-linux.org

Also what about a firewall? gsheild maybe?

You can even make a hardware firewall out of junk look up LRP (linux router project) I run about ten of then for people!

do a "netstat -a |more" more often.
Also run "nmap" against your box to see what ports you have open.

All of the above programs are free.
And so is the advice.


Need more help, just email me or post it...


badjooda


 
Old 09-04-2002, 01:13 PM   #9
rbumann
LQ Newbie
 
Registered: Sep 2002
Posts: 6

Original Poster
Rep: Reputation: 0
I figured it was coming to this. I greatly appreciate everyone's help on this.

One last question: I have a folder structure under /dev/tux, what is this from?
 
Old 09-04-2002, 01:56 PM   #10
badjooda
LQ Newbie
 
Registered: Aug 2002
Posts: 9

Rep: Reputation: 0
tux is web server software like Apache.

Just a question...

Are you going to wipe and re-load? or do the long process
of re-loading each program?

I have had other friends that were in the same spot and decided to reload because then they would be starting from a clean slate. Don't feel bad!

I set up vanilla red hat 7.1 Install on the Net (Live IP)
to see how long until it would be hacked..

It took 30 minutes. (the then secure shell bug is what they used) Secure shell has now been fixed, but it just goes to
show you that even the best system needs constant log files
checking.

I run a few cron jobs daily that looks for these kinds of things.
I also install and run apt-get. It is a new rpm program for
rpm heads that makes installing and fixing dependencies
in rpm packages a breeze. http://freshrpms.net/apt/

I also have every single login attempt emailed to a different box and logged. ( I am ex-marine and a little paranoid).

Back to the grind.....
 
Old 01-05-2012, 07:47 AM   #11
jotavio
LQ Newbie
 
Registered: Feb 2008
Posts: 2

Rep: Reputation: 0
Thumbs up Resolution for telnet connectin trouble...

If you want resolve this problem of Connection closed by foreing host, when you are using telnet services, you need put in /etc/resolv.conf an entry of a good DNS Server.

After, you can make a test using ping www.google.com (for example). If you have success, good... Try now connect on this serve using telnet.

In success case, send me an e-mail. jopdeluca@gmail.com.

Good look.
.

Zé Otávio.

Quote:
Originally Posted by rbumann View Post
Here is some log info from /var/log/secure and /var/log/messages. Is there other log info that I'm missing?

/var/log/secure
-------------------
Sep 3 11:00:09 mailsrv xinetd[863]: START: telnet pid=23094 from=192.48.100.164

/var/log/messages
------------------------
Sep 3 10:52:53 mailsrv PAM_unix[22800]: (system-auth) session opened for user sammy1 by (uid=0)

Sep 3 10:52:53 mailsrv -- sammy1[22800]: LOGIN ON pts/5 BY sammy1 FROM mailsrv

Sep 3 10:52:53 mailsrv PAM_unix[22800]: (system-auth) session closed for user sammy1
 
Old 01-05-2012, 08:43 AM   #12
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: Slackware®
Posts: 10,882
Blog Entries: 1

Rep: Reputation: 1307Reputation: 1307Reputation: 1307Reputation: 1307Reputation: 1307Reputation: 1307Reputation: 1307Reputation: 1307Reputation: 1307Reputation: 1307
Moderator response

Hi,

jotavio the OP has not participated since 2002. Notice the Thread dates.

Please do not resurrect such old threads.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh_exchange_identification: Connection closed by remote host piter23 Linux - Software 17 09-11-2013 09:59 AM
rndc: connection to remote host closed. james.farrow Fedora 2 06-16-2004 11:40 AM
ssh_exchange_identification: Connection closed by remote host liguorir Linux - Software 3 09-18-2003 11:42 AM
A network client can't ping a foreign host via a ppp connection Leandro Linux - Networking 1 11-15-2002 04:50 PM
Ftp Connection closed by remote host 360 Linux - Networking 16 05-29-2002 04:16 PM


All times are GMT -5. The time now is 12:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration