Re: is this an attack ?
On Sat, Mar 29, 2003 at 10:46:02AM -0300, danilo lujambio wrote:
> sorry by a large of the message , but I am not a security expert and I
> have a ftp server secured with the directives that I found in general
> docs. Yesterday my server was down at 19:30 aprox , the only suspicious
> track that I found is :
> 18:59:06 web wu-ftpd[10527]: connect from 200.158.144.201
> Mar 28 18:59:07 web wu-ftpd[10527]: USER anonymous
> Mar 28 18:59:07 web wu-ftpd[10527]: PASS ano@ano.com
> Mar 28 18:59:07 web wu-ftpd[10527]: USER anonymous
> Mar 28 18:59:07 web wu-ftpd[10527]: PASS ano@ano.com
Apparently there is a cracking tool that uses this user and password for
FTP servers. If you were running a version of WU-FTPD with a known
hole your computer was probably cracked.
I'm not sure what the best way to tell if your instance of WU-FTPD had a
known vulnerability. Maybe do "apt-get update && apt-get upgrade", and check
to see if there is an update for the wu-ftpd package.
Even if it seems your WU-FTPD was not exploitable, I'd boot from Knoppix
and snoop around for backdoors or rootkits.
It is a good idea to run as few internet-listening servers as possible.
A total of zero internet-listening servers is a good goal for a desktop
machine.
And lastly, if you still need to run an FTP server, I recommend VSFTPD.
--
Tom Goulet mail: uid0@em.ca
UID0 Unix Consulting web: em.ca/uid0/
Reply to: