Subject: Re: Crackers getting into FTPD ?
To: Mike Cheponis <mac@Wireless.Com>
From: James Sharp <firstname.lastname@example.org>
Date: 06/05/2001 23:06:51
> Apr 19 13:45:32 G ftpd: connection from 126.96.36.199 to G.Culver.Net
> Apr 20 17:13:29 G ftpd: connection from h24-78-185-192.vn.shawcable.net to G.Culver.Net
> Apr 22 11:03:35 G ftpd: connection from cm-12-39-79-137.bullhead.npg.ispchannel.com to G.Culver.Net
> Apr 22 13:22:12 G ftpd: connection from c73274-a.frmt1.sfba.home.com to G.Culver.Net
> Apr 23 01:35:08 G ftpd: connection from pD900AF7B.dip.t-dialin.net to G.Culver.Net
> Apr 29 21:06:29 G ftpd: connection from gosax1-194.dialup.optusnet.com.au to G.Culver.Net
> May 3 20:26:44 G ftpd: connection from pool21.primacom.net to G.Culver.Net
> May 4 21:18:49 G ftpd: connection from pD90309AC.dip.t-dialin.net to G.Culver.Net
> May 9 04:59:17 G ftpd: getpeername (ftpd): Socket is not connected
> May 9 19:41:36 G ftpd: connection from cc382751-b.narltn1.nj.home.com to G.Culver.Net
> May 18 08:03:16 G ftpd: connection from HSE-Toronto-ppp129951.sympatico.ca to G.Culver.Net
> How are these crackers getting access? I have exactly ONE account on these
> machines, with a pretty darn non-obvious password.
> This is 1.5T
That's just them connecting...they're not actually authenticating and
logging in. They're probing & poking to see if they can get in.