[Snort-users] Uh-oh... bad ftp login

Jan Muenther jan at ...206...
Mon Oct 30 12:54:44 EST 2000


> have you tried to reproduce this behaviour? What happens?
> 
> Are you sure proftpd is logging where you expect the log messages to
> go and not someplace else? If it is not using syslog, maybe there is
> a permission problem on the log directory or file? Does it log
> anything at all?

Yes, yes. And it has been logging this kind of stuff until now. 
 
> It is going to be hard to tell if your ftpd has been backdoored,
> unless you have some kind of reliable file integrity checking going
> on. So if you're *really* concerned and absolutely sure you are not
> looking at a configuration problem or something simple (like a full
> disk), you could make snort (on a different box) log 21/tcp and use
> ethereal to replay future suspicious ftp sessions using the "follow
> tcp stream" feature.

This is pretty much exactly what I plan to do. Maybe we all get a
nice case study from this little catch. I prefer voluntarily set
up honeypots, though ;o))

I'll keep you informed.

Cheers, Jan
-- 
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther at ...206...



More information about the Snort-users mailing list