RE: [cobalt-security] IP listed as restricted doing Whois from samspade.org

["Todd Kirk" <tkirk@xxxxxxxxxxxxxx>]

Thanks for the help Glen, I need it ;-) I have logcheck installed which is
what alerted me to this FTP client. I will check that message logfile,
thanks.



regards,

Todd Kirk

-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Glen Scott
Sent: Wednesday, 20 June 2001 6:48 PM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] IP listed as restricted doing Whois from
samspade.org

>Yes I am back with silly IP questions again ;-)
>
>Thanks for the above URL, I ran another IP that FTP'd into my RAQ
>(crc.xnet.ro[217.10.198.254]). It reports back with the below, that bad
part
>is I don't have any customers in Romania, so now I am on the hunt to chase
>what they may have done in the 5 mins they were FTP'd in. How do I tell
what
>user they FTP in with? I know how to ps, ps aux, top, who etc. But I am an
>amateur here and need all the help I can get.
>

Check you /var/log/messages file for a line similar to:

Jun 11 10:33:19 www PAM_pwdb[5946]: (ftp) session opened for user ***
by (uid=0)

This line tells you which user logged into FTP and at what time.

I recommend you install Logcheck if you haven't already, which will
report this kind of information back to you on an hourly basis.
Check out http://www.psionic.com/abacus/logcheck for more
information.  It is very simple to install, but I would be happy to
provide you with instructions in case you get stuck.

Regards,

Glen Scott
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security