Jan, it looks like you have been compromised. wu-ftpd is a popular source of breakins, if what I have read is correct. It appears your is nearly two years old, plenty old... It might be a good idea to stop running your ftp daemon, but... normally if a cracker has gotten this far, then it is likely more damage has been done. Depending on the security levels you need, taking the computer off the network, and building it from scratch again might be the best course of action. This is a bit extreme for some places, maybe not for you. You need to update your wu-ftpd at minimum, and if you have tripwire or tiger or any of the other md5-based filesystem checkers, run those and find out which files have been changed. yast might be able to help here, I can't recall, and don't have access to a yast right now. But, keep in mind, yast was made for convienince, *not* security (eg, all its data is stored in database files that can be modified by crackers) -- so, again, depending on your security needs, yast might not be able to help you at all. It might not hurt to traceroute that address back, and get in touch with the admin of the parent site -- be sure to hold onto any and all logs that might help that admin track down the cracker from there. For better/more professional advice, check out this URL: http://www.cert.org/nav/recovering.html It covers recovering from a breakin. good luck. btw -- it *could* just be a very new user, running ftp as root. I did it when *I* started running linux about five years ago. Today I know better, but not everyone does. :) And, of course, take all this with a grain of salt. :) On Thu, Aug 05, 1999 at 08:22:03PM +0200, Jan Theofel wrote:
Hello!
Here are two lines of my /var/log/messages: Aug 4 21:16:22 www wu.ftpd[25329]: connect from root@212.160.104.141 Aug 5 02:49:53 www wu.ftpd[25641]: connect from root@212.160.104.141
They seem a little bit strange to me that a root on some box will trying FTP to our server. I tought it might be perhaps and cracker who got root access to another server. (Altough this IP can't be resolved by nslookup, which should indicate that it isn't a server.)
But in my /var/log/xferlog, there's no traffic at these times.
What does that mean?
Bye, Jan
BTW: My server identifies as: 220 www.rst-consulting.de FTP server (Version wu-2.4.2-academ[BETA-12](1) Sun +Jan 19 23:05:28 CST 1997) ready.
-- +-------------------+--------------------------------------------------------+ | Jan Theofel | rst Unternehmensberatungs- und Handelsgesellschaft mbH | | Webadministrator | Bahnhofstrasse 35, 71272 Renningen | | | Tel.: 07159/800-450 Fax: 07159/800-451 | +-------------------+--------------------------------------------------------+
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- Seth Arnold | ICQ 3172483 | http://cswww.willamette.edu/~sarnold/ I prosecute unsolicited bulk emails, using the RealTime BlackHole List. You should too. Ask me how, or visit http://maps.vix.com/rbl/