[Snort-users] Uh-oh... bad ftp login

Gregor Binder gbinder at ...462...
Mon Oct 30 12:34:34 EST 2000


Jan Muenther on Mon, Oct 30, 2000 at 04:01:08PM +0100:

Jan,

> you obviously misunderstood me. Usually, when I get a bad ftp
> login alert in my snort logs, I have a corresponding entry in the
> "local" logfiles of my ftp server. I can only recall this
> happening once. This time, I cannot find any entries on my ftp
> host, but neither do I find any irregularities. Still, it makes
> me kind of nervous.

have you tried to reproduce this behaviour? What happens?

Are you sure proftpd is logging where you expect the log messages to
go and not someplace else? If it is not using syslog, maybe there is
a permission problem on the log directory or file? Does it log
anything at all?

It is going to be hard to tell if your ftpd has been backdoored,
unless you have some kind of reliable file integrity checking going
on. So if you're *really* concerned and absolutely sure you are not
looking at a configuration problem or something simple (like a full
disk), you could make snort (on a different box) log 21/tcp and use
ethereal to replay future suspicious ftp sessions using the "follow
tcp stream" feature.

Greetings,
  Gregor.

-- 
Gregor Binder  <gbinder at ...462...>  http://www.sysfive.com/~gbinder/
sysfive.com GmbH             UNIX. Networking. Security. Applications.
Gaertnerstrasse 125b, 20253 Hamburg, Germany       TEL +49-40-63647482



More information about the Snort-users mailing list