[H-GEN] FTP login by wtmp?

[Martin Pool]

[ Humbug *General* list - semi-serious discussions about Humbug and
Unix-related topics. ]

At 16:12 17/08/99 +1000, you wrote:

>A salutory lesson to all those out there with a standard RedHat
>installation...turn off your ftp daemon (if you have wu-ftp installed) _now_
>and/or find another one. And...turn off (or limit access to) anything else
>connected to the outside world that you do not absolutely need.

Those who didn't catch it yesterday might like to read 


http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&id
=32

 * An audit of computer security across the whole net, with interesting
statistics on vulnerable machines

 * What happened when somebody turned the table and attacked them: the most
interesting war story I've heard for a long time.  (Under "Third week").
Read this part, if nothing else.

>Fortunately, they only ran the script on the ftp xferlog, and did not bother
>with the system log or with the ippl log, so we have a complete audit trail
>of their access attempts. Which leads me to believe that the attacker(s) was
>only a scriptkiddy. The attacker was not smart enough to use IP spoofing
>either; we think we have tracked the lowlife back to a dial-up connection at
>their ISP.

What if they were relaying through that machine, rather than originating
from it?

>We are now in the process of combing through our system auditing all files
>that have changed since the original attack.

Boot from original media (your RedHat CD) and use rpm's verify option
against the RPMS on the CD.  Don't trust the kernel, rpm(1) or RPMs on the
box.

--
Martin
-- 
 /\\\  Mincom | Martin Pool          | martinp at mincom.com
// \\\        | Software Engineer    | Phone: +61 7 3303-3333
\\ ///        | Mincom Ltd.          | 
 \///         | Teneriffe, Brisbane  | Speaking for myself only


--
This is list (humbug) general handled by majordomo at lists.humbug.org.au .
Postings only from subscribed addresses of lists general or general-post.