>Yes I am back with silly IP questions again ;-) > >Thanks for the above URL, I ran another IP that FTP'd into my RAQ >(crc.xnet.ro[217.10.198.254]). It reports back with the below, that bad part >is I don't have any customers in Romania, so now I am on the hunt to chase >what they may have done in the 5 mins they were FTP'd in. How do I tell what >user they FTP in with? I know how to ps, ps aux, top, who etc. But I am an >amateur here and need all the help I can get. > Check you /var/log/messages file for a line similar to: Jun 11 10:33:19 www PAM_pwdb[5946]: (ftp) session opened for user *** by (uid=0) This line tells you which user logged into FTP and at what time. I recommend you install Logcheck if you haven't already, which will report this kind of information back to you on an hourly basis. Check out http://www.psionic.com/abacus/logcheck for more information. It is very simple to install, but I would be happy to provide you with instructions in case you get stuck. Regards, Glen Scott _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
