hack attempt on my server...What do you do about this?

[Thomas Sapp]

Here's one for you, I checked my system this morning and the hard drive
was going nuts.  Here is the begining of the log information:

Jul 17 07:40:43 Raisor vsftpd(pam_unix)[4691]: check pass; user unknown
Jul 17 07:40:43 Raisor vsftpd(pam_unix)[4691]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=81.201.142.14 
Jul 17 07:40:46 Raisor vsftpd(pam_unix)[4695]: check pass; user unknown
Jul 17 07:40:46 Raisor vsftpd(pam_unix)[4695]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=81.201.142.14 
Jul 17 07:40:46 Raisor vsftpd(pam_unix)[4697]: check pass; user unknown
Jul 17 07:40:46 Raisor vsftpd(pam_unix)[4697]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=81.201.142.14 
Jul 17 07:40:47 Raisor vsftpd(pam_unix)[4701]: check pass; user unknown
Jul 17 07:40:47 Raisor vsftpd(pam_unix)[4701]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=81.201.142.14 
Jul 17 07:40:47 Raisor vsftpd(pam_unix)[4703]: check pass; user unknown
Jul 17 07:40:47 Raisor vsftpd(pam_unix)[4703]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=81.201.142.14 
Jul 17 07:40:47 Raisor vsftpd(pam_unix)[4707]: check pass; user unknown
Jul 17 07:40:47 Raisor vsftpd(pam_unix)[4707]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=81.201.142.14 
Jul 17 07:40:47 Raisor vsftpd(pam_unix)[4709]: check pass; user unknown
Jul 17 07:40:47 Raisor vsftpd(pam_unix)[4709]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=81.201.142.14 
Jul 17 07:40:47 Raisor vsftpd(pam_unix)[4713]: check pass; user unknown
Jul 17 07:40:47 Raisor vsftpd(pam_unix)[4713]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=81.201.142.14 
Jul 17 07:40:48 Raisor vsftpd(pam_unix)[4715]: check pass; user unknown
Jul 17 07:40:48 Raisor vsftpd(pam_unix)[4715]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=81.201.142.14 
Jul 17 07:40:48 Raisor vsftpd(pam_unix)[4717]: check pass; user unknown
Jul 17 07:40:48 Raisor vsftpd(pam_unix)[4717]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=81.201.142.14 
Jul 17 07:40:48 Raisor vsftpd(pam_unix)[4721]: check pass; user unknown
Jul 17 07:40:48 Raisor vsftpd(pam_unix)[4721]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=81.201.142.14 
Jul 17 07:40:48 Raisor vsftpd(pam_unix)[4723]: check pass; user unknown
Jul 17 07:40:48 Raisor vsftpd(pam_unix)[4723]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=81.201.142.14 
Jul 17 07:40:48 Raisor vsftpd(pam_unix)[4727]: check pass; user unknown
Jul 17 07:40:48 Raisor vsftpd(pam_unix)[4727]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=81.201.142.14 
Jul 17 07:40:49 Raisor vsftpd(pam_unix)[4729]: check pass; user unknown
Jul 17 07:40:49 Raisor vsftpd(pam_unix)[4729]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=81.201.142.14 
Jul 17 07:40:49 Raisor vsftpd(pam_unix)[4733]: check pass; user unknown
Jul 17 07:40:49 Raisor vsftpd(pam_unix)[4733]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=81.201.142.14 
Jul 17 07:40:49 Raisor vsftpd(pam_unix)[4735]: check pass; user unknown
Jul 17 07:40:49 Raisor vsftpd(pam_unix)[4735]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=81.201.142.14 

and this continues to fill up my system log until this morning at 5:45AM
when I disabled the vsftpd service.  I had only started it because I
needed a file from my computer at home while I was at work and forgot to
disable it last night!  that'll teach me!  Anyone know of any exploits
that this uses?  There are no changed or weird files and a login was
never succeded from this attempt.  the ip address that was being used
changed 3 times but it stayed on the same subnet.  I blocked the entire
subnet but was wondering if anyone had any suggestions on what to check
on my system for possible intrusion?

-- 
Thanks,
Tom Sapp
http://www.sappsworld.com