On Sat, Mar 29, 2003 at 02:35:39PM +0000, Tom Goulet (UID0) imagined: > On Sat, Mar 29, 2003 at 10:46:02AM -0300, danilo lujambio wrote: > > sorry by a large of the message , but I am not a security > > expert and I have a ftp server secured with the directives > > that I found in general docs. Yesterday my server was down > > at 19:30 aprox , the only suspicious track that I found is : > > 18:59:06 web wu-ftpd[10527]: connect from 200.158.144.201 > > Mar 28 18:59:07 web wu-ftpd[10527]: USER anonymous > > Mar 28 18:59:07 web wu-ftpd[10527]: PASS [EMAIL PROTECTED] > > Mar 28 18:59:07 web wu-ftpd[10527]: USER anonymous > > Mar 28 18:59:07 web wu-ftpd[10527]: PASS [EMAIL PROTECTED]
> Apparently there is a cracking tool that uses this user and > password for FTP servers. If you were running a version of > WU-FTPD with a known hole your computer was probably cracked. > > I'm not sure what the best way to tell if your instance of > WU-FTPD had a known vulnerability. Maybe do "apt-get update > && apt-get upgrade", and check to see if there is an update > for the wu-ftpd package. > > Even if it seems your WU-FTPD was not exploitable, I'd boot > from Knoppix and snoop around for backdoors or rootkits. > > It is a good idea to run as few internet-listening servers as > possible. A total of zero internet-listening servers is a > good goal for a desktop machine. > > And lastly, if you still need to run an FTP server, I > recommend VSFTPD. > -- > Tom Goulet mail: [EMAIL PROTECTED] Further to what Tom has said: o 'apt-get install chkrootkit' will install a utility that checks for the presence of (you guessed it) common rootkits. Just run 'chkrootkit' as root. o If you have been cracked (and it looks likely) you will need to re-install Debian from scratch -- there is really no other reliable way to recover from this. o About 'vsftpd': I agree, this is one of the best you can run, if you cannot make due with ssh/scp. Cheers, Raymond -- o Kindly avoid sending proprietary Word or PowerPoint attachments. * See http://www.fsf.org/philosophy/no-word-attachments.html o Plain text email please -- here's why: http://expita.com/nomime.html o If possible, please send a URL instead of an attachment :-)
pgpJCcNl7nYd6.pgp
Description: PGP signature
