hack attempt on my server...What do you do about this?
Scot L. Harris
webid at cfl.rr.com
Sun Jul 18 15:17:34 UTC 2004
On Sun, 2004-07-18 at 09:07, Thomas Sapp wrote:
> Here's one for you, I checked my system this morning and the hard drive
> was going nuts. Here is the begining of the log information:
>
> Jul 17 07:40:43 Raisor vsftpd(pam_unix)[4691]: check pass; user unknown
> Jul 17 07:40:43 Raisor vsftpd(pam_unix)[4691]: authentication failure;
> and this continues to fill up my system log until this morning at 5:45AM
> when I disabled the vsftpd service. I had only started it because I
> needed a file from my computer at home while I was at work and forgot to
> disable it last night! that'll teach me! Anyone know of any exploits
> that this uses? There are no changed or weird files and a login was
> never succeded from this attempt. the ip address that was being used
> changed 3 times but it stayed on the same subnet. I blocked the entire
> subnet but was wondering if anyone had any suggestions on what to check
> on my system for possible intrusion?
>
Check your various log files. It appears someone was trying a brute
force attack on your ftp service. You may want to use scp in the future
for quick file transfers if you don't need a full blown ftp service.
If you have tripwire run a report. I find tripwire invaluable in
sorting out changes that have occurred on a system. There are a couple
of other similar packages out there that do the same thing.
If you don't have tripwire then you may be able to use rpm to compare
what was installed has not been changed. (I assume rpm will allow for
the prelink?) I think it is the verify option on rpm.
--
Scot L. Harris
webid at cfl.rr.com
When a lion meets another with a louder roar,
the first lion thinks the last a bore.
-- G.B. Shaw
More information about the users
mailing list