[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FTP Hacker question

Subject: Re: FTP Hacker question
From: Dan Shoop <email@hidden>
Date: Tue, 20 Feb 2007 11:47:10 -0500
Delivered-to: email@hidden
Delivered-to: email@hidden

At 10:07 AM -0500 2/20/07, Matt Mashyna wrote:

When I leave my FTP service up for a while I collect ftpd processes. It looks like robots trying to break in. Server Admin tells me that I have X authenticated users but the log shows nothing.


*Which* log are you looking at?

I have logging turned all the way up but I don't see anything going on. How can I see what's really happening.


How did you 'turn up' logging? Where did you set the source for the logging?

Here's an example from the terminal:
root# ps -aux | grep ftp root 1676 0.0 0.1 28132 1308 ?? S 9:22AM 0:00.11 ftpd: stat.vandussen.com: connected: IDLE root 2009 0.0 0.1 28132 1316 ?? S 9:36AM 0:00.11 ftpd: 216-241-50-251.static-ip.telepacifi
Watch as I kill them...
root# kill 1676 2009
And they come right back!
root# ps -aux | grep ftp root 2138 0.0 0.0 27244 448 ?? Ss 9:43AM 0:00.01 /usr/libexec/launchproxy xftpd -a root 2139 0.0 0.1 28132 1320 ?? S 9:43AM 0:00.11 ftpd: stat.vandussen.com: connected: IDLE root 2140 0.0 0.1 28132 1320 ?? S 9:43AM 0:00.10 ftpd: 216-241-50-251.static-ip.telepacifi

Any ideas ? I sure would like to close this hole.

Hole? It's how ftp operates. If you don't want ftpd processes shut off ftp. Period.

I can't understand how they can be authenticated but not show up in a log.


What makes you think they have authenticated?

Are these processes active for periods of time?
--

-dhan

------------------------------------------------------------------------
Dan Shoop                                                   AIM: iWiring
Systems & Networks Architect                      http://www.ustsvs.com/
email@hidden                                http://www.iwiring.net/
1-714-363-1174

"The wise man doesn't give the right answers, he poses the right
questions." -- Claude Levi-Strauss

------------------------------------------------------------------------

iWiring provides systems and networks support for Mac OS X, unix, and
Open Source application technologies at affordable rates.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden

References:
	>FTP Hacker question (From: Matt Mashyna <email@hidden>)

Prev by Date: Re: LDAP Binding failed, Startup freeze
Next by Date: (no subject)
Previous by thread: Re: FTP Hacker question
Next by thread: LDAP Binding failed, Startup freeze
Index(es):
- Date
- Thread

Home