I am having trouble telneting to my Linux host. The configuration hasn't changed and I used to be able to telnet to the machine with no problems. Below is the output from a Terminal window running local on the Linux host. It appears to login successfully and then the connection is closed by the foreign host.

# telnet hostname
Trying 192.48.100.188...
Connected to hostname
Escape character is '^]'.

Red Hat Linux release 7.0 (Guinness)
Kernel 2.2.16-22 on an i586
login: username
Password: *****
Last Login: Sat Aug 31 14:01:01 from hostname
Connection closed by foreign host.
#

well what do the logs say on the server machine?

Here is some log info from /var/log/secure and /var/log/messages. Is there other log info that I'm missing?

/var/log/secure
-------------------
Sep 3 11:00:09 mailsrv xinetd[863]: START: telnet pid=23094 from=192.48.100.164

/var/log/messages
------------------------
Sep 3 10:52:53 mailsrv PAM_unix[22800]: (system-auth) session opened for user sammy1 by (uid=0)

Sep 3 10:52:53 mailsrv -- sammy1[22800]: LOGIN ON pts/5 BY sammy1 FROM mailsrv

Sep 3 10:52:53 mailsrv PAM_unix[22800]: (system-auth) session closed for user sammy1

100% sure nothing has changed?
DO you run a chkrootkit cron job daily? chkrootkit.org
New host box?, do other boxes telnet in?
Checked hosts allow?
Checked running services?
Firewalling problems?

run this:

finger username

make sure that he has a shell value (i.e. /bin/bash) and not /bin/nologin

This is the output of:

# finger sammy1

Login: sammy1 Name: Sammy
Directory: /home/sammy1 Shell: /bin/bash
Last login Tue Sep 3 11:00 (CDT) on pts/5 from mailsrv
New mail received Tue Sep 3 16:56 2002 (CDT)
Unread since Tue Sep 3 14:41 2002 (CDT)
No Plan.

I download the chkrootkit program from chkrootkit.org. It explains that the chkrootkit program uses the commands awk, cust, egrep, etc... and that one should use the -p option to point to a directory of good binaries.

Is there a way to easily extract these from CD or some other location?

I ran the command :
# chkrootkit ps

It returned:
ROOTDIR is `/'
Checking `ps' ... INFECTED

I didn't want run the command against all the tests until I knew I had a clean set of command files.

Seems like your cherry has been popped!

Got your 7.0 Redhat ISO's handy?

GOT your bootable floppy?

If no to all of the above create a boot floppy from Either
RedHats's site or a TOM's root boot.

then boot from floppy (disconnect the stinkin nic cable)
and you'll need to reload each infected program
from the orginial CD's.

If your a true newbie maybe wiping completely and starting
over with RedHat 7.3 is a better suggestion.

Hopefully you'll run Secure shell in the future and not
Telnet. (telnet sends your username and password in
clear text for anybody to sniff). try www.openssh.org
instead. or load the Redhat ssh rpm.

You don't run most things as root do you?
You should run them as you (username) and only su to root,
if needed.

Also think about installing Bastille. It hardens your OS for you.
Another program. www.bastille-linux.org

Also what about a firewall? gsheild maybe?

You can even make a hardware firewall out of junk look up LRP (linux router project) I run about ten of then for people!

do a "netstat -a |more" more often.
Also run "nmap" against your box to see what ports you have open.

All of the above programs are free.
And so is the advice.


Need more help, just email me or post it...


badjooda

I figured it was coming to this. I greatly appreciate everyone's help on this.

One last question: I have a folder structure under /dev/tux, what is this from?

tux is web server software like Apache.

Just a question...

Are you going to wipe and re-load? or do the long process
of re-loading each program?

I have had other friends that were in the same spot and decided to reload because then they would be starting from a clean slate. Don't feel bad!

I set up vanilla red hat 7.1 Install on the Net (Live IP)
to see how long until it would be hacked..

It took 30 minutes. (the then secure shell bug is what they used) Secure shell has now been fixed, but it just goes to
show you that even the best system needs constant log files
checking.

I run a few cron jobs daily that looks for these kinds of things.
I also install and run apt-get. It is a new rpm program for
rpm heads that makes installing and fixing dependencies
in rpm packages a breeze. http://freshrpms.net/apt/

I also have every single login attempt emailed to a different box and logged. ( I am ex-marine and a little paranoid).

Back to the grind.....

If you want resolve this problem of Connection closed by foreing host, when you are using telnet services, you need put in /etc/resolv.conf an entry of a good DNS Server.

After, you can make a test using ping www.google.com (for example). If you have success, good... Try now connect on this serve using telnet.

In success case, send me an e-mail. jopdeluca@gmail.com.

Good look.
.

Zé Otávio.

Hi,

jotavio the OP has not participated since 2002. Notice the Thread dates.

Please do not resurrect such old threads.