https://community.hpe.com/t5/operating-system-hp-ux/suspect-string-in-syslog-log/m-p/2663615#M48977 hi guys, i found in the syslog this entry:<BR />Feb 12 23:05:54 server1 remshd[15355]: Connection from 0.0.0.0 on illegal port<BR />Feb 12 23:05:56 server1 remshd[15356]: Connection from 0.0.0.0 on illegal port<BR />Feb 12 23:05:59 server1 remshd[15357]: Connection from 0.0.0.0 on illegal port<BR />Feb 12 23:06:05 server1 remshd[15360]: Connection from 0.0.0.0 on illegal port<BR />Feb 12 23:06:17 server1 remshd[15378]: Connection from 0.0.0.0 on illegal port<BR />Feb 12 23:06:42 server1 remshd[15384]: Connection from 0.0.0.0 on illegal port<BR />what this strings means?<BR />thanks a lot for your aid. Tue, 12 Feb 2002 23:29:28 GMT Gabriele FACCHINI 2002-02-12T23:29:28Z https://community.hpe.com/t5/operating-system-hp-ux/suspect-string-in-syslog-log/m-p/2663615#M48977 hi guys, i found in the syslog this entry:<BR />Feb 12 23:05:54 server1 remshd[15355]: Connection from 0.0.0.0 on illegal port<BR />Feb 12 23:05:56 server1 remshd[15356]: Connection from 0.0.0.0 on illegal port<BR />Feb 12 23:05:59 server1 remshd[15357]: Connection from 0.0.0.0 on illegal port<BR />Feb 12 23:06:05 server1 remshd[15360]: Connection from 0.0.0.0 on illegal port<BR />Feb 12 23:06:17 server1 remshd[15378]: Connection from 0.0.0.0 on illegal port<BR />Feb 12 23:06:42 server1 remshd[15384]: Connection from 0.0.0.0 on illegal port<BR />what this strings means?<BR />thanks a lot for your aid. Tue, 12 Feb 2002 23:29:28 GMT https://community.hpe.com/t5/operating-system-hp-ux/suspect-string-in-syslog-log/m-p/2663615#M48977 Gabriele FACCHINI 2002-02-12T23:29:28Z https://community.hpe.com/t5/operating-system-hp-ux/suspect-string-in-syslog-log/m-p/2663616#M48978 Hi,<BR /><BR />I am not 100% sure and don't want to<BR />ring the alarm bells too loudly but it <BR />looks as though there has been an <BR />attempted hack into your machine using a <BR />remote shell (remsh). The first thing I<BR />would is (if you can) to close off any<BR />unnecessary ports on your server. Start<BR />with the inetd.conf file and comment out<BR />items like these. Make sure you run <BR /># inetd -c <BR />after making any changes.<BR /><BR />login stream tcp nowait root /usr/lbin/rlogind rlogind<BR />shell stream tcp nowait root /usr/lbin/remshd remshd<BR /><BR />Did this just start happening or have you <BR />just noticed it?<BR /><BR />-Michael<BR /> Wed, 13 Feb 2002 01:42:21 GMT https://community.hpe.com/t5/operating-system-hp-ux/suspect-string-in-syslog-log/m-p/2663616#M48978 Michael Tully 2002-02-13T01:42:21Z https://community.hpe.com/t5/operating-system-hp-ux/suspect-string-in-syslog-log/m-p/2663617#M48979 Gabriele,<BR /><BR />As Michael said, shut down what you don't use:<BR /><BR /><A href="http://people.hp.se/stevesk/bastion.html" target="_blank">http://people.hp.se/stevesk/bastion.html</A><BR /><BR />Is this server on the internet or within your local network?<BR /><BR />live free or die<BR />harry Wed, 13 Feb 2002 02:36:45 GMT https://community.hpe.com/t5/operating-system-hp-ux/suspect-string-in-syslog-log/m-p/2663617#M48979 harry d brown jr 2002-02-13T02:36:45Z https://community.hpe.com/t5/operating-system-hp-ux/suspect-string-in-syslog-log/m-p/2663618#M48980 hi guys thanks for your helps.<BR />this server are in internet.<BR />how can i be sure that i have had an attack?<BR />thanks a lot.<BR />gabriele Wed, 13 Feb 2002 06:49:41 GMT https://community.hpe.com/t5/operating-system-hp-ux/suspect-string-in-syslog-log/m-p/2663618#M48980 Gabriele FACCHINI 2002-02-13T06:49:41Z https://community.hpe.com/t5/operating-system-hp-ux/suspect-string-in-syslog-log/m-p/2663619#M48981 Hi,<BR /><BR />Seeing that you system is on the internet I suggest that you try to make it as robust as possible, by stopping ALL unnecessary services. Also have a look at the link below, it has some interesting information in regards<BR />to hacking.<BR /><BR /><A href="http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x71b779bffde7d4118fef0090279cd0f9,00.html" target="_blank">http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x71b779bffde7d4118fef0090279cd0f9,00.html</A><BR /><BR />If you haven't already, have a good read of the document link posted by Harry. I have two systems on the net and both were built using this method. To date we haven't been hacked. (touch wood!)<BR /><BR />HTH<BR />-Michael Wed, 13 Feb 2002 07:05:22 GMT https://community.hpe.com/t5/operating-system-hp-ux/suspect-string-in-syslog-log/m-p/2663619#M48981 Michael Tully 2002-02-13T07:05:22Z https://community.hpe.com/t5/operating-system-hp-ux/suspect-string-in-syslog-log/m-p/2663620#M48982 thanks for your help.<BR />A ports of remsh is closed by firewall, and this error was created by a failed control of a monitoring system. Wed, 13 Feb 2002 07:52:08 GMT https://community.hpe.com/t5/operating-system-hp-ux/suspect-string-in-syslog-log/m-p/2663620#M48982 Gabriele FACCHINI 2002-02-13T07:52:08Z