David Rankin wrote:
Hello, David--
First off, let me state that I may be totally off base on this, but
here's my .02 anyway! :)
> What does it look like to you guys? What are your suggestions for fixing
> it so it doesn't happen again? Where do I report this unauthorized use?
I get these all the time, and as near as I can tell, they're just making
a connection, trying to log in and getting nothing. Then going away.
Still and all, I assume that you have checked xfer.log, auth.log, last
and so forth, and have found them to be without gaps? You don't have
any .bash_history files suddenly linked to /dev/null or anything funny
like that? It might be worth your time to conjure up some `find' magic
on your system, to find any files that might have been modified around
that time.
To prevent it from happening again? You could tighten up access using
hosts.allow and hosts.deny, and only allow from known hosts. I believe
that xinetd has this facility, too. If not, it would certainly be in
tcpd. Or in your ipchains script, if you have one. Or, you could turn
off the ftp server and use scp instead, unless you have a compelling
reason for keeping your ftp daemon running.
Reporting: Really all you can do (to my knowledge) is contact the owner
(hostmaster) of that netblock and copy over the excerpts of your logs,
indicating the time, date and timezone that they indicate, and hope for
the best. Since they are .kr, I wouldn't expect a real rapid response.
Again, I'm certainly no expert on this, so if any expert does want to
correct me, I'm more than willing! :)
--
Craig Sprout
Network Administrator
Crown Parts and Machine, Inc.
http://www.crownpartsandmachine.com/
