[Dshield] FTP server strange logins

Daniel Cid danielcid at yahoo.com.br
Mon Aug 21 17:41:52 GMT 2006


Hi Dominik,

I generally get a lot of those scans (in addition to
the ssh ones), but your logs seems to be missing the
user field at the end (the ruser is only used for
su/sudo or when you change the users).. Does logwatch
change them in any way?

This is how I generally get them (see user at the
end):

vsftpd: (pam_unix) authentication failure; logname=
uid=0 euid=0 tty= ruser= rhost=x.y.z.a  user=joan

vsftpd: (pam_unix) authentication failure; logname=
uid=0 euid=0 tty= ruser= rhost=x.y.z.a  user=marcia

If you look at the vsftpd.log you will be able to
see the attempt user names..

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

--- Dominik Sk³adanowski <dskladanowski at gmail.com>
escreveu:

> Hello list.
> 
> Does anybody notice strange tests of yours FTP
> servers? It looks like  
> someone tries to log into server, but without any
> login name and  
> password.
> 
> I have observed this scan second time in last 2
> weeks.
> 
> Below I attached fragment of my logwatch report.
> 
> --------------------- pam_unix Begin
> ------------------------
> 
> vsftpd:
>     Unknown Entries:
>        authentication failure; logname= uid=0 euid=0
> tty= ruser=  
> rhost=124.128.254.69 : 2283 Time(s)
>        check pass; user unknown: 2283 Time(s)
> 
> 
>   ---------------------- pam_unix End
> -------------------------
> 
> Regards
> 
> Dominik
> 
> _________________________________________
> 
> SANS Network Security 2006 - Las Vegas NV October
> 1st-9th.
> Wide selection of 1-6 Day Courses. Top Instructors! 
> 
> 
> Details: isc.sans.org/clickcount.php?ad=1
> (use Brochurcode "ISC")
> 
> "Best IT Security return on Investment" (Mario
> Chiock, Schlumberger)
> _______________________________________________
> 



	



	
		
_______________________________________________________ 
Você quer respostas para suas perguntas? Ou você sabe muito e quer compartilhar seu conhecimento? Experimente o Yahoo! Respostas !
http://br.answers.yahoo.com/


More information about the list mailing list