Subject: Crackers getting into FTPD ?
To: None <netbsd-help@netbsd.org>
From: Mike Cheponis <mac@Wireless.Com>
List: current-users
Date: 06/05/2001 20:16:26
I was looking at my /var/log/xferlog files and noticed that a LOT of strange
machines were getting access to my NetBSD machine.  I have anonymous
FTP turned off, but otherwise FTP is enabled in /etc/inetd.conf  -  and
here's what I see:


Apr 19 13:45:32 G ftpd[5190]: connection from 202.144.164.2 to G.Culver.Net
Apr 20 17:13:29 G ftpd[6222]: connection from h24-78-185-192.vn.shawcable.net to G.Culver.Net
Apr 22 11:03:35 G ftpd[7877]: connection from cm-12-39-79-137.bullhead.npg.ispchannel.com to G.Culver.Net
Apr 22 13:22:12 G ftpd[7926]: connection from c73274-a.frmt1.sfba.home.com to G.Culver.Net
Apr 23 01:35:08 G ftpd[8185]: connection from pD900AF7B.dip.t-dialin.net to G.Culver.Net
Apr 29 21:06:29 G ftpd[14096]: connection from gosax1-194.dialup.optusnet.com.au to G.Culver.Net
May  3 20:26:44 G ftpd[1070]: connection from pool21.primacom.net to G.Culver.Net
May  4 21:18:49 G ftpd[1955]: connection from pD90309AC.dip.t-dialin.net to G.Culver.Net
May  9 04:59:17 G ftpd[1798]: getpeername (ftpd): Socket is not connected
May  9 19:41:36 G ftpd[2757]: connection from cc382751-b.narltn1.nj.home.com to G.Culver.Net
May 18 08:03:16 G ftpd[18928]: connection from HSE-Toronto-ppp129951.sympatico.ca to G.Culver.Net



How are these crackers getting access?  I have exactly ONE account on these
machines, with a pretty darn non-obvious password.

This is 1.5T

My other machines are also getting hit, running 1.5.1_BETA

Any thoughts appreciated, because now I'm VERY spooked!

Thanks -Mike