Thanks for the help Glen, I need it ;-) I have logcheck installed which is
what alerted me to this FTP client. I will check that message logfile,
thanks.
regards,
Todd Kirk
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Glen Scott
Sent: Wednesday, 20 June 2001 6:48 PM
To: [EMAIL PROTECTED]
Subject: Re: [cobalt-security] IP listed as restricted doing Whois from
samspade.org
>Yes I am back with silly IP questions again ;-)
>
>Thanks for the above URL, I ran another IP that FTP'd into my RAQ
>(crc.xnet.ro[217.10.198.254]). It reports back with the below, that bad
part
>is I don't have any customers in Romania, so now I am on the hunt to chase
>what they may have done in the 5 mins they were FTP'd in. How do I tell
what
>user they FTP in with? I know how to ps, ps aux, top, who etc. But I am an
>amateur here and need all the help I can get.
>
Check you /var/log/messages file for a line similar to:
Jun 11 10:33:19 www PAM_pwdb[5946]: (ftp) session opened for user ***
by (uid=0)
This line tells you which user logged into FTP and at what time.
I recommend you install Logcheck if you haven't already, which will
report this kind of information back to you on an hourly basis.
Check out http://www.psionic.com/abacus/logcheck for more
information. It is very simple to install, but I would be happy to
provide you with instructions in case you get stuck.
Regards,
Glen Scott
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security
