[PLUG] attempted breakin
Fred Davis
fdavis2@purdue.edu
Tue, 7 Sep 1999 22:04:42 -0500 (EST)
Some person w/ an Iowa State University IP address was communicating w/ my box -
sometime between 9:20PM and 9:45PM
As soon as I noticed, I packet sniffed for ~ ten seconds using sniffit,
and none of what I saw was readable --> possibly encrypted?
netstat result:
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 pvil-b-017.resnet.:2144 helser-164-88.res.:8000
ESTABLISHED
I then disconnected my ethernet line (w/ in ~ 30 sec. of realizing the
connection)
I don't think he was logged in, because when I ran who, only a couple of
instances of me were logged in - since I had one or two xterms open.
IP address: 129.186.164.88 (helser-164-88.res.iastate.edu)
What should I do (other than change all passwords)? What things should I
check to make sure they were not
tampered with? Should I email root@that ip address, email the dorm
connection administrator at Iowa State, what?
Suggestions greatly appreciated
- fred
fdavis2@purdue.edu