Re: is someone hacking me?

From: Trevor Jenkins (Trevor.Jenkins@suneidesis.com)
Date: 02/28/02

  • Next message: James Riden: "Re: Buffer overflow exploits - general question" 

    From: Trevor.Jenkins@suneidesis.com (Trevor Jenkins)
Date: 28 Feb 2002 09:29:31 GMT

    On Thu, 28 Feb 2002 05:56:19 GMT, ITC(SW) Scott Smith <richard-smith@hawaii.rr.com> wrote:

    > Tony wrote:
    >
    > > I am getting tons of these in my logs. Am I getting hacked?
    > >
    > > Feb 27 19:01:16 ldt xinetd[662]: EXIT: ftp pid=5822 duration=5(sec)
    > > Feb 27 19:09:35 ldt xinetd[662]: START: ftp pid=5824 from=202.180.116.245
    >
    > Hard to say but really doesn't looke it just from what you are showing
    > us. I take it you have your FTP service running. If you do, then you
    > will invitebly get people trying to FTP into your system.

    I see similar entries in our firewall log but we do not allow forwarding to
    port 21. Also there's no FTP server running on any of our systems. The
    preps are clearly trying probing (here) for a server with server
    vulnerabilities. How do I know that? Becasue our static IP address does not
    have a DNS associated with it. The only way to reach our firewall is using
    a dotted IP address.

    > If you are not intentionally running an FTP server, shut down or kill
    > wuftpd PID and probably need edit your /etc/xinetd.d/wuftpd or
    > equivilent file to keep it from restarting.

    Excellent advice. Prior to erecting the firewall one of our systems had a
    FTP server running. Some script kiddy exploited a vulnerability and
    installed a ircbot. That was dealt with very quick.

    Other stuff that files the firewall logs here are NETBIOS-NS probes. Most
    of these can be correlated with our users surfing to web sites hosted on
    mahcines with Microsoft IIS. The host's operators have not blocked that
    port outgoing. For unscrupulous surfers this could be used to identify lazy
    sysadmins; for me it is bad net.izenship on the part of those sysadmins
    spweing unecessary packets out on the net and reducing the bandwidth..

    Regards, Trevor

    British Sign Language is not inarticulate handwaving; it's a living language.
    Support the campaign for formal recognition by the British government now!
    Details at http://www.fdp.org.uk/ or http://www.bsl-march.co.uk/ 

    -- 

    <>< Re: deemed!

    Relevant Pages

    • Re: VPN server
      ... The source of the intrusion might be earlier in the logs [or it ... needed to download the sfind program from an FTP server under their control ... >> hacker to get past your firewall and onto your regular network. ...
      (microsoft.public.win2000.security)
    • Re: [incident] IIS defacement through FTP, possible DoS
      ... that this isn't the first time I've seen more than just scripts coming ... Was wondering if anyone is aware of an IIS FTP server exploit that allows ... Checking the FTP logs, which is the site's owner's only way in, I see the ... For more information on this free incident handling, ...
      (Incidents)
    • Re: Lost control of server
      ... computer to store and share illegal pirated videos as an FTP server. ... you never know whether you've missed a back door that lets the hacker right ... and view the IIS logs and any firewall logs if you can. ... I also found some jackass avi files ...
      (microsoft.public.win2000.security)
    • RE: PASV FTP DoS Attacks?
      ... Flipping through the logs on our Web/FTP server i noticed ... "FTP Server could not create a client worker thread for ...
      (microsoft.public.inetserver.iis.security)
    • Re: Request Info & Help on Hosting
      ... > you could also create a user account with homedirectory just the ... No FTP server running yet. ... I know that it is required in order for them to upload their files to their ...
      (alt.os.linux.suse)