Re: is someone hacking me?

From: ITC(SW) Scott Smith (richard-smith@hawaii.rr.com)
Date: 02/28/02

• Next message: Jem Berkes: "Re: Monitoring sftp with ftpwho"
• Previous message: Tony: "is someone hacking me?"
• In reply to: Tony: "is someone hacking me?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "ITC(SW) Scott Smith" <richard-smith@hawaii.rr.com>
Date: Thu, 28 Feb 2002 05:56:19 GMT

Tony wrote:

> I am getting tons of these in my logs. Am I getting hacked?
>
>
> Feb 27 19:01:16 ldt xinetd[662]: EXIT: ftp pid=5822 duration=5(sec)
> Feb 27 19:09:35 ldt xinetd[662]: START: ftp pid=5824 from=202.180.116.245
> Feb 27 19:09:42 ldt xinetd[662]: EXIT: ftp pid=5824 duration=7(sec)
> Feb 27 19:11:35 ldt xinetd[662]: START: ftp pid=5827 from=202.180.116.245
> Feb 27 19:11:41 ldt xinetd[662]: EXIT: ftp pid=5827 duration=6(sec)
> Feb 27 19:12:36 ldt xinetd[662]: START: ftp pid=5828 from=202.180.116.245
> Feb 27 19:12:41 ldt xinetd[662]: EXIT: ftp pid=5828 duration=5(sec)
> Feb 27 19:21:54 ldt xinetd[662]: START: ftp pid=5831 from=202.180.116.245
> Feb 27 19:21:59 ldt xinetd[662]: EXIT: ftp pid=5831 duration=5(sec)
> Feb 27 19:23:46 ldt xinetd[662]: START: ftp pid=5832 from=202.180.116.245
> Feb 27 19:23:51 ldt xinetd[662]: EXIT: ftp pid=5832 duration=5(sec)
> Feb 27 19:29:19 ldt xinetd[662]: START: ftp pid=5833 from=202.180.116.245
> Feb 27 19:29:27 ldt xinetd[662]: EXIT: ftp pid=5833 duration=8(sec)
> Feb 27 19:29:52 ldt xinetd[662]: START: ftp pid=5834 from=202.180.116.245
> Feb 27 19:29:58 ldt xinetd[662]: EXIT: ftp pid=5834 duration=6(sec)
> Feb 27 19:40:53 ldt xinetd[662]: START: ftp pid=5839 from=202.180.116.245
> Feb 27 19:41:01 ldt xinetd[662]: EXIT: ftp pid=5839 duration=8(sec)
> Feb 27 19:46:21 ldt xinetd[662]: START: ftp pid=5840 from=202.180.116.245
> Feb 27 19:46:31 ldt xinetd[662]: EXIT: ftp pid=5840 duration=10(sec)
> Feb 27 19:49:31 ldt xinetd[662]: START: ftp pid=5841 from=171.64.185.159
> Feb 27 19:49:36 ldt xinetd[662]: START: ftp pid=5842 from=171.64.185.159
> Feb 27 19:49:36 ldt xinetd[662]: EXIT: ftp pid=5842 duration=0(sec)
> Feb 27 19:49:36 ldt xinetd[662]: START: ftp pid=5843 from=171.64.185.159
> Feb 27 19:49:37 ldt xinetd[662]: EXIT: ftp pid=5843 duration=1(sec)
> Feb 27 19:49:37 ldt xinetd[662]: START: ftp pid=5844 from=171.64.185.159
> Feb 27 19:49:37 ldt xinetd[662]: EXIT: ftp pid=5841 duration=6(sec)
> Feb 27 19:49:44 ldt xinetd[662]: START: ftp pid=5845 from=171.64.185.159
> Feb 27 19:50:39 ldt xinetd[662]: START: ftp pid=5848 from=171.64.185.159
> Feb 27 19:50:40 ldt xinetd[662]: START: ftp pid=5849 from=171.64.185.159
> Feb 27 19:51:15 ldt xinetd[662]: EXIT: ftp pid=5845 duration=91(sec)
> Feb 27 19:51:22 ldt xinetd[662]: START: ftp pid=5850 from=202.180.116.245
>

Hard to say but really doesn't looke it just from what you are showing
us. I take it you have your FTP service running. If you do, then you
will invitebly get people trying to FTP into your system. By the amount
of time each entry denotes, looks like failed logon attempts. Check your
error logs.. and or FTP (var/log/xferlog)
  logs to validate this.

If you are not intentionally running an FTP server, shut down or kill
wuftpd PID and probably need edit your /etc/xinetd.d/wuftpd or
equivilent file to keep it from restarting.

Looks like the below. Change the disable statement to yes.

# default: on
# description: The wu-ftpd FTP server serves FTP connections. It uses \
#
normal, unencrypted usernames and passwords for authentication.
service ftp
{
        disable = yes
        socket_type = stream
        wait = no
        user = ftpuser
        server = ...............
        server_args = -l -a
        log_on_success += DURATION USERID
        log_on_failure += USERID
        nice = 10
}

Wuftpd is the default server that comes with RH, yours may vary.. but
the premises is you need to shut down/diable your ftp dameon if you do
not need it.
R/Scott

---

• Next message: Jem Berkes: "Re: Monitoring sftp with ftpwho"
• Previous message: Tony: "is someone hacking me?"
• In reply to: Tony: "is someone hacking me?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: FTP files dissappearing!! ... I don't see any reason why you couldn't also easily enable a free sniffer to ... you should be able to enable FTP logging and logging on your ... Synchronizing the time on your FTP server and firewall ... and then correlating the two logs may help you determine which IP address is ... (microsoft.public.inetserver.iis.security) Re: Sendmail Hacked ... > connection which is weird because I didn't know I had ftp running. ... I checked the ftp logs and they've all been cleared. ... They trace the spam back to you by the ... need sendmail running, or FTP, or telnet. ... (comp.os.linux.security) Re: data transfer ... Check your logs manually or download one of the many trialware log analyzers ... guessed somebody was using your FTP server (check your FTP default ... >> Are you sure you want the ftp server service running on your SBS???? ... (microsoft.public.windows.server.sbs) [Full-disclosure] Ipswitch FTP XSS leads to FTP server compromise ... Ipswitch FTP XSS leads to FTP server compromise. ... There is XSS vulnerability when the WS_FTP server logs client FTP ... We've created a little PoC that will create a new system administrator ... (Full-Disclosure) Re: Help -- Have I been rooted? ... I only allowed ssh, httpd, and ftp port forwarding to my ... machine for the past few days while I used a store bought router. ... I checked the router logs and was greeted by pages of stuff like this: ... (comp.os.linux.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2002-02