On Wed, 30 May 2001, Stilgherrian wrote:
> > May 14 18:48:00 pooky ftpd[987]: FTP session closed
^^^^
> Well, these *are* FTP logins. wu-ftpd doesn't run all the time, but is
> spawned from inetd when a connection comes in.
Exactly, those are logins to *ftpd*, not wu-ftpd - they look different in
the logs. Here's an example:
May 30 06:53:21 paranoia tcplog: ftp request from paranoia
May 30 06:53:21 paranoia wu-ftpd[315]: connect from paranoia
May 30 06:53:21 paranoia wu-ftpd[315]: FTP LOGIN REFUSED (ftp not in
/etc/passwd) FROM paranoia [xxx.xxx.xxx.xxx], anonymous
May 30 06:53:21 paranoia wu-ftpd[315]: FTP session closed
> Check /etc/inetd.conf and comment out the entry for ftpd. Then
> re-start inetd.
This I agree with. Also, while at it, you really should comment out every
service listed that you don't need, or don't know what they're for.
> Have you been rooted? Can't tell from that, though probably not. But if
> your wu-ftpd isn't up to date then you might be. That's precisely what
> these two guys are looking for, in all likelihood.
Older versions of wu-ftpd had some nasty bugs in them that allowed a
system to be rooted (remote format string stack overwrite, for instance,
read more at: http://www.securityfocus.com/bid/1387).
In order for this mail not to be totally OT, I'd recommend you define some
ipchains/iptables (depending on your kernel version) rules to filter out
unwanted connection attempts.
HTH,
.pi.
--
Petteri Lyytinen + [EMAIL PROTECTED] + http://www.cs.tut.fi/~typo/
+ Watashi no chikara de susumu +
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
