I see these messages in my /var/logs/messages file and I don't know what they are:

localhost rlogind[20312] : Connection from 24.114.108.58 on illegal port
localhost rlogind[20312] PAM pam_end: NULL pam handle passed
localhost PAM_pwdb [8565] : (login) session opened for user root by (uid=0)
localhost -- root[8565]:ROOT LOGIN ON tty1
localhost PAM_pwdb[8565]: (login) session closed for user root

It sure looks like sombody got into my box. But I'm not sure how to find what that illegal port.

What happened, how do I fix it?

Thanks folks.

What were the timestamps on those messages?

TTY1 is your first local terminal. Unless something weird is going on, somebody logging in remotely wouldn't show up on TTY1, they'd show up on PTS/1. Are you sure YOU didn't log in as root on TTY1?

I don't think you got cracked. However, you should definitely NOT have rlogin running. That's a horrible security hole. Probably somebody was trying to scanned exploits against rlogin just as you logged in as root on tty1, and that's what caused the log messages to look like that.

Check the timestamp if it was you. Then you should read the NHF's aromring linux and KILL ALL DEAMONS YOU DON'T NEED. If it wasn't you then you will need to reinstall linux as a cracked box is no good (backdoors). When you reinstall, get the NHF's now and print them. Reinstall without internet (unplug the cable) and secure your box. THEN hook it back up to the internet.

Also, did it log the I.P.? If so, see if it was yours, 127.0.0.1 or localhost.localdomain.

Falcon

That IP was not mine own. I do have a firewall based on the "Linux Firewalls" book that shuts down rlogin from eth0 (my outside ethernet card) I should have said, this is my firewall computer, I don't see any odd login's on my main computers.

Oddly enough, I saw sendmail running and I'm SURE I shut that off on my firewall, so I killed send mail and removed it from all the rcx.d directories.

Yeah, tty1 is strange. I don't see how I could get a root login on a tty port at all.

I'll re-read the NHF and see if I missed anything. Thanks for the advice. It's good to know that I probably wasn't cracked.

Originally posted by Dru Lee Parsec:
<STRONG>That IP was not mine own.</STRONG>

That's not what I said. What I meant was that probably, somebody attempted an rlogin connection against your box just as you happened to be logging in as root. That's what caused the confusion.

I've been averaging 2-3 rootings a year. Regardless of how crack-jack your firewall and TCP Wrapper may be, all it takes is running 1 faulty net service.

years ago wu-ftpd got me, and more recently BIND.

I only have httpd and sshd accessible to the internet and things have been smooth since April (damn red Chinese got me then).