Another round of highly appreciated responses to my 2nd posting from:
John P Speno <speno_at_isc.upenn.edu>
Mike Iglesias <iglesias_at_draco.acs.uci.edu>
MJ Watson <mjwatson_at_snafu.livenet.net>
Toni Harbaugh-Blackford <harbaugh_at_ncifcrf.gov>
Graham Allan <ALLAN_at_mnhep1.hep.umn.edu>
David LaPorte <david_laporte_at_harvard.edu>
Chad Price <cprice_at_molbio.unmc.edu>
Sylvain Robitaille <syl_at_alcor.concordia.ca>
James Sainsbury <sainsb_j_at_ten.chem.usyd.edu.au>
Gwen Pettigrew <gwen_at_itg.cam.ac.uk>
Several people suggested replacing my inetd with xinetd
(
http://synack.net/xinetd), which is a freeware replacement that does much
better logging than the stock inetd does. I'll give that a shot.
Another suggestion was leaving the stock inetd in place for every other
service, and running popd either under a stub inetd which does better
logging, or xinetd just for that one service.
One suggestion was to use netstat -n to find the intruder.
Several people suggested having our network folks using our router logs to
track the offending client down. This is actually what we did (in fact, we
did it yesterday, so my question was really for future reference). In our
case, since we control our own routers this was a workable solution, but
might not be viable in an ISP setup where you don't own or control your own
routers. The "attacks" were comming from a port in one of our student
dorms. We havn't yet tracked the person down yet, but have turned their
port off, which solved the immediate problem :-) I say "attacks" in quotes
because we have no reason to believe, at this point, that it was anything
worse than a badly-configured mail client.
Also suggested was something called Courtney, which is apparantly on the DU
Freeware CD, and is a perl wrapper around tcpdump.
Received on Wed Jun 02 1999 - 13:16:54 NZST