I have a server running slackware 10.2 on the internet for software testing purposes. I suspect hacking the server has at least been attempted.

What log files do I need to use to investigate this ? How can I investigate this further than just viewing log files and possibly reverse searching on the IP address ? I am assuming all log files would be in /var/adm . I have looked at /var/adm/secure.1 and find many entries that say such as this entry :

Mar 4 15:57:49 IBMSERVER in.telnetd[2109]: connect from 200.76.242.22 (200.76.242.22)

Mar 4 15:57:49 IBMSERVER in.telnetd[2110]: connect from 200.76.242.22 (200.76.242.22)

I find it interesting that these entries seem to come in pairs to different ports from the same IP address through out the log.


Also, what does this entry mean in the message log ?

Feb 5 14:21:28 IBMSERVER -- MARK --


Thank You in advance,
Tom

Open up /etc/inetd.conf. Find a line that looks like this:

And make it look like this:

Reboot. Now, if you were using telnet, learn to use ssh instead.


Rough translation, "Hi, I'm the syslog daemon. I haven't had anything interesting to say in awhile, so I thought I'd let you know that I'm still here, working hard as always."

I am using ssh to connect.

Er, alright...

The unauthorized connections are going to telnet, and he described how to shutdown telnet. This has nothing to do with SSH, and won't change it's operation in any way.

Ok, telnet was originally enabled, then we decided to use ssh instead. I do not know if telnet port is still open. I will shutdown telnet in that case.