RE: [cobalt-security] 'proftpd-inetd appears to be from newer ver sion' message (x-posted)

[Brandon Wheaton <brandonw@xxxxxxxxxxxx>]

> On Thu, 12 Oct 2000, Kevin D wrote:
> 
> > I have recently noticed the following entry in my Messages log:
> > 
> > run-time scoreboard file '/var/run/proftpd/proftpd-inetd' 
> appears to be from a newer version of proftp
> > 
> > Is this something that a recent cobalt patch has caused, or 
> is this evidence of a hack? I have not noticed any strange 
> activity on my server, and a quick scan of recent FTP 
> connections via the 'secure' log shows no foreign IP 
> addresses (it's a pretty low traffic server).
> 
> I've got the same problem on my RaQ, and I'm using manually compiled
> proftpd 1.2.0rc2.  I've not got around to looking at why it's 
> happening
> yet, but it doesn't appear to be anything dodgy (security wise).
> 


rm /var/run/proftpd/proftpd-inetd

That should stop the messages in your log. If you want you 
could backup the file to be safe, but basically it is crud 
left over from a previous install.

> Oh, and remember that text logs can be altered.

If someone is altering your logs you have more important 
issues to address, like how they gained the access to be 
able to alter your logs, not to mention finding out what 
else have they altered. If you have suspicions about 
unauthorized accesses, first check your /etc/passwd file 
for entries you don't recognize. Then do a "last -d -a" 
to see who has logged into your server and from where.
Also ensure that you do NOT allow remote root logins. 
This way, you have a log of anyone issuing the "su -" 
command to become root.

Take care.

Brandon Wheaton
UNIX Systems Engineer 
ValiCert, Inc.
1215 Terra Bella Ave. 
Mountain View, CA 94043 
650.567.5430 
----
Computers are useless; they can only provide answers.
~Pablo Picasso