[Snort-users] Uh-oh... bad ftp login

Mikael Schmidt mikael.schmidt at ...718...
Mon Oct 30 09:46:26 EST 2000


how do you start snort? do you start it with -s? if you don't, that's the 
reason why you can't find anything in secure or messages, snort doesn't log 
to syslog per default.

On Mon, 30 Oct 2000, Jan Muenther wrote:
> Hello there,
>
> I am slightly discomforted, to say the least.
>
> Checking the weekend's snort logs, I found a bad FTP password
> attempt. Well, this could happen when you run a FTP server
> without anonymous access ;o))
> But anyway, checking the server's logs, I could not find any
> correlating report in neither messages nor secure. I find that
> disturbing.
>
> The box runs RH 6.2, with proftpd 1.2.0pre10, so it's a
> post-r00t-version... as I already mentioned, no anonymous ftp
> allowed.  Apart from that, there's only ssh running... with
> logins only allowed from one host (mine of course).
>
> I took a quick look around, wtmp seems okay, histories are there,
> logs seem otherwise consistent... Couldn't find any signs of
> rootkit/bd.
>
> has anybody had similar experience...??
>
> Cheers, Jan

-- 
Mikael Schmidt - mikael.schmidt at ...718...
tfn:	+46(0)46 - 222 47 35
mob:	+46(0)707 - 46 60 56



More information about the Snort-users mailing list