[CLUE-Admin] unusual server activity
Jeff Cann
j.cann at isuma.org
Thu Dec 4 11:33:58 MST 2003
On Thursday 04 December 2003 10:45 am, Lynn Danielson wrote:
> Jeff,
>
> I'm seeing some activity on our server that I don't understand.
> The "last" command shows a fair bit of activity by user ftp
> from various ip addresses. Both the ftp account and services
> have been disabled. So, I don't understand why there would
> be any ftp user activity.
I don't either, but it does not look like they could do anything, since the
time periods (from last) are 00:00:
lynnd pts/0 c-67-162-141-196 Wed Dec 3 20:21 - 02:12 (05:50)
dave pts/1 dsl-pool1-114.pr Wed Dec 3 17:37 - 17:38 (00:01)
lynnd pts/0 170.207.55.1 Wed Dec 3 16:53 - 19:07 (02:13)
ftp ftpd25046 f13m-12-134.d1.c Wed Dec 3 00:56 - 00:56 (00:00)
lynnd pts/0 c-67-162-141-196 Mon Dec 1 21:42 - 00:49 (03:07)
lynnd pts/0 170.207.55.1 Mon Dec 1 16:08 - 18:57 (02:49)
ftp ftpd16049 AOrleans-103-1-3 Mon Dec 1 09:36 - 09:36 (00:00)
My guess is script kiddies looking for FTP vulnerabilities. It is troubling
that someone is logging in as ftp. Perhaps we should disable the 'ftp'
account? At a minimum, we should change the password.
Jeff
--
http://isuma.org/
More information about the clue-admin
mailing list