[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] IP listed as restricted doing Whois from samspade.org
- Subject: RE: [cobalt-security] IP listed as restricted doing Whois from samspade.org
- From: "Todd Kirk" <tkirk@xxxxxxxxxxxxxx>
- Date: Wed, 20 Jun 2001 19:17:07 +1000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Thanks for the help Glen, I need it ;-) I have logcheck installed which is
what alerted me to this FTP client. I will check that message logfile,
thanks.
regards,
Todd Kirk
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Glen Scott
Sent: Wednesday, 20 June 2001 6:48 PM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] IP listed as restricted doing Whois from
samspade.org
>Yes I am back with silly IP questions again ;-)
>
>Thanks for the above URL, I ran another IP that FTP'd into my RAQ
>(crc.xnet.ro[217.10.198.254]). It reports back with the below, that bad
part
>is I don't have any customers in Romania, so now I am on the hunt to chase
>what they may have done in the 5 mins they were FTP'd in. How do I tell
what
>user they FTP in with? I know how to ps, ps aux, top, who etc. But I am an
>amateur here and need all the help I can get.
>
Check you /var/log/messages file for a line similar to:
Jun 11 10:33:19 www PAM_pwdb[5946]: (ftp) session opened for user ***
by (uid=0)
This line tells you which user logged into FTP and at what time.
I recommend you install Logcheck if you haven't already, which will
report this kind of information back to you on an hourly basis.
Check out http://www.psionic.com/abacus/logcheck for more
information. It is very simple to install, but I would be happy to
provide you with instructions in case you get stuck.
Regards,
Glen Scott
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security