On Sat, Mar 29, 2003 at 10:46:02AM -0300, danilo lujambio wrote: > sorry by a large of the message , but I am not a security expert and I > have a ftp server secured with the directives that I found in general > docs. Yesterday my server was down at 19:30 aprox , the only suspicious > track that I found is : > 18:59:06 web wu-ftpd[10527]: connect from 200.158.144.201 > Mar 28 18:59:07 web wu-ftpd[10527]: USER anonymous > Mar 28 18:59:07 web wu-ftpd[10527]: PASS [EMAIL PROTECTED] > Mar 28 18:59:07 web wu-ftpd[10527]: USER anonymous > Mar 28 18:59:07 web wu-ftpd[10527]: PASS [EMAIL PROTECTED]
Apparently there is a cracking tool that uses this user and password for FTP servers. If you were running a version of WU-FTPD with a known hole your computer was probably cracked. I'm not sure what the best way to tell if your instance of WU-FTPD had a known vulnerability. Maybe do "apt-get update && apt-get upgrade", and check to see if there is an update for the wu-ftpd package. Even if it seems your WU-FTPD was not exploitable, I'd boot from Knoppix and snoop around for backdoors or rootkits. It is a good idea to run as few internet-listening servers as possible. A total of zero internet-listening servers is a good goal for a desktop machine. And lastly, if you still need to run an FTP server, I recommend VSFTPD. -- Tom Goulet mail: [EMAIL PROTECTED] UID0 Unix Consulting web: em.ca/uid0/
