I logged into my 1.6.2 system today, and noticed a couple things that I thought 
were too strange to be coincidence. First of all, in the ftpd xferlog, there are 
at 89 instances of this activity, which was obviously some sort of connection 
flood. All 89 connections occured consecutively in a 3 minute period from an 
unknown host:


Sep 10 08:08:33 extremecode ftpd[14602]: FTP LOGIN FAILED FROM 
OL253-182.fibertel.com.ar
Sep 10 08:08:34 extremecode ftpd[14603]: connection from 
OL253-182.fibertel.com.ar to extremecode.org


At about the same time, the system was rebooted, reportedly from the console, 
according to 'last'. I did not reboot the system, and nobody else has the power 
to do so. The only other users on my system have access only to chrooted ftp 
accounts, nothing more. The users are also trustworthy.


reboot    ~                         Fri Sep 10 08:13


Is the wtmp database updated with a "reboot" event when the system is going 
down, or when it is coming up?

I was running the default ftpd without the -r option (oops) for a brief period 
of time, as one user had problems accessing an account with that option enabled. 
Is it possible that the system is compromised?  Unfortunately I had no IDS 
installed, so besides this strange behavior, I have no way of knowing if 
anything on the system has changed.

Thanks,

-Jeff Wyman