I found a weird log entry in my system check for 4/27. Someone from a Korean site was able to ftp into my server for 41 seconds. The log entries are as follows: Apr 27 13:14:43 Nemesis xinetd[620]: START: ftp pid=17845 from=210.119.103.190 Apr 27 13:14:43 Nemesis xinetd[17845]: USERID: ftp OTHER :root Apr 27 13:15:23 Nemesis xinetd[620]: EXIT: ftp pid=17845 duration=41(sec) What does it look like to you guys? What are your suggestions for fixing it so it doesn't happen again? Where do I report this unauthorized use? -- David C. Rankin Nacogdoches, Texas
Bas wrote:> Maybe I'm not looking right, but it looks like somebody on the other end is > root and accessed your ftp server as user ftp. > > You should check the manual pages that come with your ftp server. > > Good luck, > Bas. >Bas, that's the problem! Somebody tried to ftp as root into my server! "They ain't root, because I'm root!" You know, --me--, my system, I put the motherboard/hardware together, I loaded Linux, got samba, ftp, ssh, vpn, etc... working. IT'S MY BOX! Now, some Korean, "no ethniccentricity implied", has hackerd my box and I'm (1) worried - what did he/she do and (2) pissed because someone who shouldn't be showing up in my logs is! I have read Linksys router pages and man pages that say -- this shouldn't happen. OK, so I'll admit it, Linksys sucks as a firewall. That still begs the question, who is this turkey who tried to hack my system, why did he try to do it (we'll never know), and why with all this great security was whoeveritwas able to stay connected for 41 seconds. Think about it, I'm puzzeled -- not uncommon. My question is what in the hell do you do in this situation?
Does you need to have ftp (inbound) turned on for this system? What
about remote root access, could you turn that off? Are you using any
type of software type firewalling?
David Rankin
<drankin@cox-inte To: Bas
<list@showme.wox.org>, Samba <samba@us5.samba.org>
rnet.com> cc:
Sent by: Subject: Re: Hacked?
samba-admin@lists
.samba.org
05/03/2001 10:04
PM
Bas wrote:
> Maybe I'm not looking right, but it looks like somebody on the other
end
is> root and accessed your ftp server as user ftp.
>
> You should check the manual pages that come with your ftp server.
>
> Good luck,
> Bas.
>
Bas, that's the problem! Somebody tried to ftp as root into my server!
"They
ain't root, because I'm root!" You know, --me--, my system, I put
the
motherboard/hardware together, I loaded Linux, got samba, ftp, ssh, vpn,
etc...
working. IT'S MY BOX! Now, some Korean, "no ethniccentricity
implied", has
hackerd my box and I'm (1) worried - what did he/she do and (2) pissed
because
someone who shouldn't be showing up in my logs is! I have read Linksys
router
pages and man pages that say -- this shouldn't happen. OK, so I'll admit
it,
Linksys sucks as a firewall. That still begs the question, who is this
turkey
who tried to hack my system, why did he try to do it (we'll never know),
and
why with all this great security was whoeveritwas able to stay connected
for 41
seconds. Think about it, I'm puzzeled -- not uncommon. My question is what
in
the hell do you do in this situation?
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba