Most of the responses that I received said that my user had probably
either sent his password over insecure lines and it was sniffed, or that
my user had been targeted. Either way this lead us to tighten down
security with tcpd and more religious watching of our logs. Gregory
Coleman included this little bit of advice that others may be
> My suggestions in this scenario:
> ==>Hit www.cert.com and follow their info about breakins.
> ==>Start monitoring that box assiduously. If you don't have
> /var/adm/loginlog in place, create it as such (as root):
> touch /var/adm/loginlog; chmod 600 /var/adm/loginlog
> ...this will log failed login attempts.
> ==>Run tcp-wrappers if you aren't already.
> ==>Provide ssh for your users.
> ==>Change the password on that account.
> ==>Run crack and find out if there are other weak passwords and change
> Hope that doesn't make you too paranoid, but it did it to me!
Michael Neef also told me about a recent security patch for in.telnet.
Patch number 106049-01.
Thanks for everyone that responded.
firstname.lastname@example.org David Wiseman
email@example.com Scott D. Yelich
firstname.lastname@example.org Simon Convey
email@example.com Rich Snyder
firstname.lastname@example.org Gregory Coleman
email@example.com Steve Kay
Micheal.Neef@neuroinformatik.ruhr-uni-bochum.de Michael Neef
Douglas Sean Hagan
ACRS Unix Administration
Western Kentucky University
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:41 CDT