hack attempt on my server...What do you do about this?

Chris Ruprecht chrisr at ruprecht.org
Sun Jul 18 15:28:24 UTC 2004 

Scott, Thomas,

the first option is not to run vsftpd at all. There is nothing vsftpd
can do, which you can not do using sftp to log into you box. sftp,
afaik, sits on top of ssh and in the years of running my Linux box,
nobody ever broke that. You don't need a separate ftp server to run it,
as long as you have ssh enabled and port 22 open, it'll work.

If you need an ftp client which supports sftp (when you're at work or
something equally annoying :) try filezilla (Windoze). It might not be
the best ftp client out there, but it's free and it gets the job done.

Best regards,
Chris

On Sun, 2004-07-18 at 11:17, Scot L. Harris wrote:
> On Sun, 2004-07-18 at 09:07, Thomas Sapp wrote:
> > Here's one for you, I checked my system this morning and the hard drive
> > was going nuts.  Here is the begining of the log information:
> > 
> > Jul 17 07:40:43 Raisor vsftpd(pam_unix)[4691]: check pass; user unknown
> > Jul 17 07:40:43 Raisor vsftpd(pam_unix)[4691]: authentication failure;
> 
> > and this continues to fill up my system log until this morning at 5:45AM
> > when I disabled the vsftpd service.  I had only started it because I
> > needed a file from my computer at home while I was at work and forgot to
> > disable it last night!  that'll teach me!  Anyone know of any exploits
> > that this uses?  There are no changed or weird files and a login was
> > never succeded from this attempt.  the ip address that was being used
> > changed 3 times but it stayed on the same subnet.  I blocked the entire
> > subnet but was wondering if anyone had any suggestions on what to check
> > on my system for possible intrusion?
> > 
> 
> Check your various log files.  It appears someone was trying a brute
> force attack on your ftp service.  You may want to use scp in the future
> for quick file transfers if you don't need a full blown ftp service.
> 
> If you have tripwire run a report.  I find tripwire invaluable in
> sorting out changes that have occurred on a system.  There are a couple
> of other similar packages out there that do the same thing.  
> 
> If you don't have tripwire then you may be able to use rpm to compare
> what was installed has not been changed.  (I assume rpm will allow for
> the prelink?)  I think it is the verify option on rpm.
> -- 
> Scot L. Harris
> webid at cfl.rr.com
> 
> When a lion meets another with a louder roar,
> the first lion thinks the last a bore.
> 		-- G.B. Shaw 
>

More information about the users mailing list