I almost had the same problem. But the little assh#ole couldnt get in. It came from the same network as the guy that hacked you. I sent a nice nasty letter to the email addy found using whois. They wrote me back saying that ip belonged to another outfit and forwarded my copmplaint to them. Hanvnt seen a thing since. Yes I rihun proftp
On Star Date Thursday 27 June 2002 05:55 pm, daRcmaTTeR sent this sub-space message. > On Thu, 27 Jun 2002, J. Craig Woods wrote: > > David Rankin wrote: > > > Guys, Gals: > > > > > > It looks like I may have been sucessfully hacked! I don't know and > > > I need your help to find out. I have had many fols test my security, > > > but nowone has gotten in until now. The following appeared in a review > > > of my syslog: > > > > > > Jun 17 23:52:57 Nemesis xinetd[27314]: START: ftp pid=26954 > > > from=210.180.201.125 > > > Jun 17 23:52:59 Nemesis xinetd[26954]: USERID: ftp OTHER :root > > > Jun 17 23:58:35 Nemesis xinetd[27314]: START: telnet pid=26963 > > > from=127.0.0.1 > > > Jun 18 00:08:02 Nemesis xinetd[27314]: EXIT: ftp pid=26954 > > > duration=905(sec) > > > > > > The 210 IP is some Korean address from the Asian Pacific Network. > > > > > > My first question is does it look like a successful hack? Second > > > question is, if so, what do I check to find out if they caused any > > > harm, installed a root kit, etc....? > > > > > > As always, thanks for any help you can provide. > > > > David, say it ain't so. You are *NOT* running a ftp service on your > > computer connected to the internet, right? Well it looks like you are > > doing just that. What type of ftp client, and what version is it? Are > > you running any kind of of file monitoring, such as tripwire? Do you > > have any programs for detecting rootkits? What is msec reporting about > > system and file changes? Time to start checking md5sums against original > > files off the install media. And shut down ftp immediately, if not > > sooner.... > > > > drjung > > I don't know doc...from the look of that log entry it might be just as > easy to simply reload the machine. and if you must run an ftp service do > like the rest of us do. Use proftpd and set a password for the darn thing > so they can't just walk in like they own the place. > > I've been checkin the logs every morning and writing the ISP's of those > miserable theivin motherless morons that just CAN'T stay the hell outa > someone else's backyard to save their miserable lives. one of THESE days!
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
