On 07-Jun-01 Mark Hounschell wrote:
The command "last" showed the following entries:
ftp ftp cx441045-b.ports Tue Jun 5 00:02 - 00:02 (00:00) ftp ftp adsl-64-222-16-9 Mon Jun 4 21:35 - 21:35 (00:00)] ftp ftp 211.200.28.16 Tue Jun 5 06:33 - 06:33 (00:00) ftp ftp APerpignan-101-1 Tue Jun 5 20:18 - 20:19 (00:00)
Does this look like people just accidentally got the wrong ip address when they tried to ftp somewhere??? Or has somebody actually ftp'd into this box. I'm basically ignorant when it comes to security.
The lines above show that at least on four occasions your host has been visited via anonymous ftp, probably with some kind of ftp scanner/script because the durations of the connections seem to be less than a second. If a valid user would have had logged in you would see his/her user name in the first column of last's output. For anonymous logins (if they are permitted), user 'ftp' will be used. At least with (most) SuSE versions. Since you see valid (?) domain names in the third column, the logins had been successful. You should disable anonymous login to your ftp server, or you may shutdown the whole ftp service (by commenting out the ftp line in your /etc/inetd.conf or by stopping a running ftp demon). But chances are that these last-log anomalities are only the tip of the iceberg, that's why you should examine your log files under /var/log closely and your config and shadow pw files in /etc. Additionally, you may use tools like chrootkit, which is a root kit detector capable of finding altered binaries in your system. System crackers install these root kits after successfully entering the victim host in order to hide certain processes from being watched via the /proc file system (e. g. with ps). You can get chrootkit from http://www.chrootkit.org . If you should detect even more anomalities, secure, backup and freshly re-install your system. Take a look at the SuSE security FAQ at www.susesecurity/faq for more information.
Thanks -- Mark Hounschell dmarkh@cfl.rr.com [...]
---
Boris Lorenz