[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: is this an attack ?

On Sat, Mar 29, 2003 at 10:46:02AM -0300, danilo lujambio wrote:
> sorry by a large of the message , but I am not a security expert and I
> have a ftp server secured with the directives that I found in general
> docs. Yesterday my server was down at 19:30 aprox , the only suspicious
> track that I found is : 
> 18:59:06 web wu-ftpd[10527]: connect from 200.158.144.201
> Mar 28 18:59:07 web wu-ftpd[10527]: USER anonymous
> Mar 28 18:59:07 web wu-ftpd[10527]: PASS ano@ano.com
> Mar 28 18:59:07 web wu-ftpd[10527]: USER anonymous
> Mar 28 18:59:07 web wu-ftpd[10527]: PASS ano@ano.com

Apparently there is a cracking tool that uses this user and password for
FTP servers.  If you were running a version of WU-FTPD with a known
hole your computer was probably cracked.

I'm not sure what the best way to tell if your instance of WU-FTPD had a
known vulnerability.  Maybe do "apt-get update && apt-get upgrade", and check
to see if there is an update for the wu-ftpd package.

Even if it seems your WU-FTPD was not exploitable, I'd boot from Knoppix
and snoop around for backdoors or rootkits.

It is a good idea to run as few internet-listening servers as possible.
A total of zero internet-listening servers is a good goal for a desktop
machine.

And lastly, if you still need to run an FTP server, I recommend VSFTPD.

-- 
Tom Goulet				mail: uid0@em.ca
UID0 Unix Consulting			web:  em.ca/uid0/
Reply to: