[CLUE-Admin] unusual server activity
Lynn Danielson
lynnd at techangle.com
Fri Dec 5 13:43:48 MST 2003
Jed S. Baer wrote:
> IIRC, WU-ftp will run standalone, although I don't remember the gory
> details.
>
>I know it's probably too late, but is there any way to answer the question
>of how an ftp daemon got started? If not by inetd, then ...? Do we have
>any forensics available (tripwire)?
>
No tripwire. No snort. I for one would like to know how the ftp
daemon got started. The only mechanism I was aware of was the
inet daemon and that seems to be what is/was allowing the access.
Even though the only ftp service not commented out in /etc/services
is sftp and all ftp daemon info is commented out in /etc/inetd.conf,
inetd will start up the wu-ftp daemon as long as that daemon exists
and is executable.
So, why doesn't it open up telnet and every other service for which
we have an existing daemon program? Can someone portscan our
box and see what responds? To the best of my knowledge, the only
ports that should be open are 22 (ssh), 25 (smtp) and 80 (http).
Lynn
More information about the clue-admin
mailing list