Hi Arnaud, just some points - I have no idea whether you've been hacked.
On Tue, May 18, 2004 at 10:21:22PM +0200, A. Loonstra wrote: > Last night I found the following in my wtmp: > > test ftpd19097 141.222.42.5 Sat May 15 10:57 - 10:57 (00:00) > > I had this test account once but removed account rightaway. So this > shouldn't show up in my logs anyhow. Are you sure there's nothing left over from that account? I know little about wu-ftpd configuration - maybe some .db files need refreshing from the respective user/password files, or similar? > The weird thing is that syslog > shows something else: > > May 15 10:57:41 matilda wu-ftpd[19097]: connect from 141.222.42.5 > May 15 10:57:44 matilda wu-ftpd[19097]: FTP LOGIN REFUSED (ftp not in > /etc/passwd) FROM 141.222.42.5 [141.222.42.5], anonymous Looks a bit like the host tried a couple of very common login names. The IP is owned by skidmore.edu, so this could be some dorm room hacker... Regardless of whether that person was successful in getting on your machine, it might be a good idea to contact the skidmore.edu admins <http://www2.skidmore.edu/cits/staffdir/staff_dir.cfm>. They might be able to tell who was logged into the machine at the time, or has been assigned that IP. They most probably won't tell you who, but might educate the person in question about the fact that what they do is unlawful. (Dunno about America, but in Germany, the act of "Daten ausspähen" is a crime - roughly paraphrased, this means accessing files which are protected from being viewed by anyone. So trying to log in is the attempt of a crime, which is also a crime. IANAL though.) > I have nothing in /etc/passwd, /etc/shadow or anywhere else... > a grep test on passwd* or shadow* reveals nothing. So how is it possible > that this test user is able to login. I think the first thing you should do is to check whether the binaries for your ftpd, PAM modules, inetd, tcp wrappers and all the related stuff have been modified. The correct, paranoid way to do this is to boot into, say, Knoppix, from CD, download known good packages, and compare the md5sums. It doesn't look like the attacker did anything once he was logged in (maybe he was just scanning the net for open FTP servers), but if any doubt remains, reinstall from scratch. Maybe also consider using a different ftpd... Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
