On Sat, 7 Oct 2000, Kurt Seifried wrote:
today I got about 50 messages like the following in /var/log/messages: Oct 7 10:11:51 gmv wu.ftpd[14694]: connect from 211.56.234.227 Oct 7 10:11:51 gmv ftpd[14694]: FTP session closed ... and it's still going on! What could be the deeper meaning, when someone it making connections the whole day long? ^^--(is)
Some more details: one first connection for about 4 seconds Oct 7 03:06:10 gmv wu.ftpd[8685]: connect from 211.56.234.227 Oct 7 03:06:14 gmv ftpd[8685]: FTP session closed And then, from 7.35 on, a connection of about 0 seconds every 4 minutes. Now the connections are refused by /etc/hosts.deny, but it's still going on: Oct 7 12:07:09 gmv wu.ftpd[15227]: refused connect from 211.56.234.227
WuFTPD has more security holes then a .... well actually it's in my top 10 for "most insecure software ever written and maintained". There are _several_ root hacks for it in this year alone. I wouldn't use WuFTPD if someone had a gun to my head.
Ok, I used it only because of Thomas' letter in june (http://lists.suse.com/archives/suse-security/2000-Jun/0167.html)...
Then it's time to shutdown the box, look for signs of intrusion and probably
I really can't find any hint of intrusion... I am going to try to take a look at the traffic (perhaps with tcpdump?)... Peter -- Peter Münster http://w3pm.stormloader.com/