Yes I am back with silly IP questions again ;-) Thanks for the above URL, I ran another IP that FTP'd into my RAQ (crc.xnet.ro[217.10.198.254]). It reports back with the below, that bad part is I don't have any customers in Romania, so now I am on the hunt to chase what they may have done in the 5 mins they were FTP'd in. How do I tell what user they FTP in with? I know how to ps, ps aux, top, who etc. But I am an amateur here and need all the help I can get.
Check you /var/log/messages file for a line similar to:Jun 11 10:33:19 www PAM_pwdb[5946]: (ftp) session opened for user *** by (uid=0)
This line tells you which user logged into FTP and at what time.I recommend you install Logcheck if you haven't already, which will report this kind of information back to you on an hourly basis. Check out http://www.psionic.com/abacus/logcheck for more information. It is very simple to install, but I would be happy to provide you with instructions in case you get stuck.
Regards, Glen Scott