HPE Community
Operating System - HP-UX
1833265 Members
2882 Online
110051 Solutions
New Discussion

Am I being hacked?

 
SOLVED
Go to solution
Chris Burkart_1
Occasional Contributor

‎09-26-2002 09:11 AM

‎09-26-2002 09:11 AM

Am I being hacked?

Once a minute I get this entry in the syslog file.

Sep 26 11:46:16 potter telnetd[29451]: getpid: peer died: Error 0

It looks like some process is trying to login. How can I track down where it's coming from?
0 Kudos
Reply
8 REPLIES 8
Jeff Schussele
Honored Contributor

‎09-26-2002 09:24 AM

‎09-26-2002 09:24 AM

Solution

Re: Am I being hacked?

Hi Chris,

No, this is indicative of a telnet session starting & then dying.
Reasons could be:
A) Network trouble
B) Firewall terminating the session
C) Remote session closing abnormally
D) Bad TCP protocol usage on the remote side (MicroSoft!)

To gain more connection info, stop & start inetd with the -l (ell) option & it'll log greater connection info. Be advised that if you have a lot of TCP connections you can grow the /var/adm/syslog/syslog.log file quickly.

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
Sridhar Bhaskarla
Honored Contributor

‎09-26-2002 09:29 AM

‎09-26-2002 09:29 AM

Re: Am I being hacked?

Hi,

As Jeff mentioned, it was because the client died abruptly.

Run inetd with -l option so that you can see all the connection information. "inetd -l" will enable you to see the information right on from that point.

29451 is the pid of telnetd connection. So, you can search for 29451 and you would see a line "connection from xx.xx.xx.xx" initially associated with the telnetd process in syslog.log

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Sean OB_1
Honored Contributor

‎09-26-2002 09:44 AM

‎09-26-2002 09:44 AM

Re: Am I being hacked?

Chris,

This is most likely a client losing connectivity during a telent session.

You can increase logging of the inet daemon but restarting it with the '-l' option.

That will give you the info to determine where the session is coming from.

Sean
Reply
doug hosking
Esteemed Contributor

‎09-27-2002 05:05 AM

‎09-27-2002 05:05 AM

Re: Am I being hacked?

The same quesiton came up a few days ago.
I've asked HP's telnetd code owners to replace this message with a clearer and less frightening one.

This is nothing at all to worry about. It almost certainly just means that someone terminated a connection in a very ungraceful manner. For example, if a PC had a DOS window opened, someone ran telnet to HP-UX, then clicked the 'X' of the window to close the window without typing 'quit' to telnet first, the telnet session would die without doing a proper termination handshake with telnetd first. HP-UX would note this event by generating the message you show above. Ugly, but not dangerous or anything you have to take action about.
0 Kudos
Reply
Paula J Frazer-Campbell
Honored Contributor

‎09-27-2002 05:09 AM

‎09-27-2002 05:09 AM

Re: Am I being hacked?

Chris

Further to what has alreday been said, this can be a user education problem and windows telnet sessions.

User love to click the "X" to exit instead of exiting correctly from the uxix server and when they do this the "peer died" entry in syslog.log is created.

HTH
Paula
If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎09-27-2002 06:52 AM

‎09-27-2002 06:52 AM

Re: Am I being hacked?

Maybe telnet to get their mail?

live free or die
harry
Live Free or Die
0 Kudos
Reply
Anil C. Sedha
Trusted Contributor

‎09-27-2002 08:25 AM

‎09-27-2002 08:25 AM

Re: Am I being hacked?

Don't you worry buddy !!

This message just pertains to when telnet sessions die abruptly or someone just closes their telnet session without logging out.


You are not being hacked.

:-)

Regards,
Anil
If you need to learn, now is the best opportunity
0 Kudos
Reply
Craig Rants
Honored Contributor

‎09-27-2002 08:31 AM

‎09-27-2002 08:31 AM

Re: Am I being hacked?

If you wanted to see what was going on at the packet level you could use IPF/9000 to log inbound tcp going to port 23, i.e.

pass in quick log proto tcp from any to `hostname`/32 port = 23 keep state

GL,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.