Subject: Crackers getting into FTPD ?
To: None <firstname.lastname@example.org>
From: Mike Cheponis <mac@Wireless.Com>
Date: 06/05/2001 20:16:26
I was looking at my /var/log/xferlog files and noticed that a LOT of strange
machines were getting access to my NetBSD machine. I have anonymous
FTP turned off, but otherwise FTP is enabled in /etc/inetd.conf - and
here's what I see:
Apr 19 13:45:32 G ftpd: connection from 188.8.131.52 to G.Culver.Net
Apr 20 17:13:29 G ftpd: connection from h24-78-185-192.vn.shawcable.net to G.Culver.Net
Apr 22 11:03:35 G ftpd: connection from cm-12-39-79-137.bullhead.npg.ispchannel.com to G.Culver.Net
Apr 22 13:22:12 G ftpd: connection from c73274-a.frmt1.sfba.home.com to G.Culver.Net
Apr 23 01:35:08 G ftpd: connection from pD900AF7B.dip.t-dialin.net to G.Culver.Net
Apr 29 21:06:29 G ftpd: connection from gosax1-194.dialup.optusnet.com.au to G.Culver.Net
May 3 20:26:44 G ftpd: connection from pool21.primacom.net to G.Culver.Net
May 4 21:18:49 G ftpd: connection from pD90309AC.dip.t-dialin.net to G.Culver.Net
May 9 04:59:17 G ftpd: getpeername (ftpd): Socket is not connected
May 9 19:41:36 G ftpd: connection from cc382751-b.narltn1.nj.home.com to G.Culver.Net
May 18 08:03:16 G ftpd: connection from HSE-Toronto-ppp129951.sympatico.ca to G.Culver.Net
How are these crackers getting access? I have exactly ONE account on these
machines, with a pretty darn non-obvious password.
This is 1.5T
My other machines are also getting hit, running 1.5.1_BETA
Any thoughts appreciated, because now I'm VERY spooked!