Re: Report on last cmd

To: <debian-security@lists.debian.org>
Subject: Re: Report on last cmd
From: "Statu Nascendi" <statu_nascendi@redmail.ro>
Date: Sat, 5 Oct 2002 00:51:07 +0300
Message-id: <[🔎] 004901c26bf0$24b85b20$010fa8c0@vasilica>
References: <[🔎] 00db01c26b95$a7d44240$050ae10a@infocent.com.au> <[🔎] 20021004180832.GE314@parvu.net>

ftp scans are just common.
just look in /var/log/daemon.log for ftp sessions -> opened,closed pairs or
log the connections.

Statu Nascendi,
Master of Disaster


----- Original Message -----
From: "Ted Parvu" <ted@parvu.net>
To: "Glen Tapley" <scorpio@infocent.com.au>
Cc: <debian-security@lists.debian.org>
Sent: Friday, October 04, 2002 9:08 PM
Subject: Re: Report on last cmd


> Not sure that your sendmail problem is related to this issue but...
>
> It looks like you have an anonymous ftp account enabled on your machine.
> Considering that these IPs are logging in for less than one minute I
> would venture to guess that "they" are scanning IPs looking for
> anonymous ftp accounts that "they" can go back to later and use in
> whatever way "they" want to.
>
> If you do not require outside anon ftp access I would suggest you block
> the ftp port along with all the other ports that do not require outside
> access.
>
> Also, if you are not in need of anon ftp, disable it.
>
> If you don't need ftp at all, disable the ftpd demon.
>
> I have noted that it is pretty common to see this sort of activity on a
> system with anon ftp enabled.
>
> have fun,
>
> Ted
>
> On Fri, Oct 04, 2002 at 07:03:21PM +0800, Glen Tapley wrote:
> > Hello
> >
> > I have been having a lot of trouble with my sendmail setup, someone is
using my system. I have found that when I run the last cmd, I find a lot of
strange entries such as
> >
> > ftp      ftp          p50852BD8.dip.t- Sun Oct  6 03:57 - 03:57  (00:00)
> > ftp      ftp          p508ECDDA.dip.t- Sun Oct  6 03:37 - 03:37  (00:00)
> > ftp      ftp          212.171.38.1     Sat Oct  5 23:16 - 23:16  (00:00)
> > ftp      ftp          210.23.10.25     Sat Oct  5 18:40 - 18:40  (00:00)
> >
> > Can anyone tell me what these are, are they the result of programs
accessing my TCP/IP addresses?
> >
> > Tx in advance.
> >
> > glt
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-
>        WAR IS GOOD
>     FREEDOM IS SLAVERY
>   IGNORANCE IS STRENGTH
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>

Reply to:

References:
- Report on last cmd
  - From: "Glen Tapley" <scorpio@infocent.com.au>
- Re: Report on last cmd
  - From: Ted Parvu <ted@parvu.net>

Prev by Date: Re: Debian (Unstable) problem with SSH and PAM
Next by Date: unsubscribe kaschulze@web.de
Previous by thread: Re: Report on last cmd
Next by thread: Re: Report on last cmd
Index(es):
- Date
- Thread