Subject: Re: Was I hacked?
From: Martin McWhorter (m_mcwhorter@prairiegroup.com)
Date: Thu Aug 17 2000 - 12:08:49 MDT
Israel,
Change your password. Install ssh (secure shell) and disable Telnet.
A whois from arin.net reveals this information:
---------------------------------
MobileNetics Corporation (NETBLK-MOBILENETICS-BLK-3)
30021 Tomas Street, Suite 300,
Rancho Santa Margarita, CA 92688
Netname: MOBILENETICS-BLK-3
Netblock: 64.63.0.0 - 64.63.127.255
Maintainer: MONC
Coordinator:
Turbow, Bryan (BT307-ARIN) bturbow@mobilenetics.com
+1.949.589.5675
Domain System inverse mapping provided by:
FLOWER1.MOBILENETICS.COM 209.0.200.3
GOLFVIEW.MOBILENETICS.COM 24.2.126.23
Record last updated on 20-Jul-2000.
Database last updated on 17-Aug-2000 06:58:46 EDT.
-----------------------------------------------
Report this to the network abuse department at mocilenetics. It seems the
device you were cracked from is an ATM router.
Martin
Israel Alvarez wrote:
> When I telnetted into my YDL server this morning, I was greeted by this:
>
> "Last login: Wed Aug 16 11:31:58 from
> ip-64-63-37-99.reverse.mobilenetics.com"
>
> no one but me should be accessing this machine, and I don't recognize the
> domain or the ip (I assume it is 64.63.67.99).
>
> I did a find / -mtime 1 to find files modified in the last day, and saw
> nothing suspicious, but I don't know if there's a way of spoofing that. Any
> suggestions? Should I take my server down for a few days? Is there some
> software I can install to block/track possible attacks? Or is this even
> really a cracker?
>
> I don't want my machine to wind up being part of someone's DDOS attack.
> --
>
> Israel Alvarez
> is at isaka dot net
> propellerhead without portfolio
> isaka studio
> "The crimes of eBay are a disgrace to its pig latin heritage"
This archive was generated by hypermail 2a24 : Thu Aug 17 2000 - 12:01:34 MDT