I don't think I've been hacked but these log entries have me a little concerned. I have a vague idea of what sgi_fam does so I'm not sure if this is a configuration snafu or if someone has compromised my system.

In /var/log/secure, I'm getting the following floods:
----------------------------------------------------------
Sep 5 10:07:34 glyph xinetd[6152]: FAIL: sgi_fam libwrap from=<no address>
Sep 5 10:07:34 glyph xinetd[5826]: START: sgi_fam pid=6153 from=<no address>
Sep 5 10:07:34 glyph xinetd[6153]: FAIL: sgi_fam libwrap from=<no address>
Sep 5 10:07:34 glyph xinetd[5826]: START: sgi_fam pid=6154 from=<no address>
Sep 5 10:07:34 glyph xinetd[6154]: FAIL: sgi_fam libwrap from=<no address>
-----------------------------------------------------------

/var/log/messages:
---------------------------------------------------------------------
Sep 5 10:07:34 glyph xinetd[6156]: libwrap refused connection to sgi_fam (libwrap=fam) from <no address>
Sep 5 10:07:34 glyph xinetd[5826]: Deactivating service sgi_fam due to excessive incoming connections. Restarting in 30 seconds.
Sep 5 10:08:05 glyph xinetd[5826]: Activating service sgi_fam
----------------------------------------------------------------------

I've had general probes and attempts from .sg and .tw but nothing that looked like someone got in. chkrootkit comes up clean and I have everything pretty well locked down in hosts.deny/allow.

Any comments appreciated.

- JoeB

You didn't state what distro you are using, I have seen, Fedora Core 1 has a bug that would cause this to occur.

Also, you state that /etc/hosts and host.deny are locked down. I think you should consider using iptables to really secure your unit. Tcpwrappers is not enough. I learned that the hard way. And iptables isn't enough either, but it's a good start.

I'm running Redhat AS 3.0.

I'm installing iptables too. Too much activity out there