[1231] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: Re[2]: [linux-security] Attempt to break through ftp

daemon@ATHENA.MIT.EDU (Comfort is Treachery)
Fri Oct 18 02:36:00 1996

Date: Thu, 17 Oct 1996 10:47:38 +0100 (MET)
From: Comfort is Treachery <wvdputte@reptile.rug.ac.be>
To: Evgeny Stambulchik <fnevgeny@plasma-gate.weizmann.ac.il>
cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199610161603.SAA10416@plasma.weizmann.ac.il>

On Wed, 16 Oct 1996, Evgeny Stambulchik wrote:

> Comfort is Treachery <wvdputte@reptile.rug.ac.be> wrote:
> 
> >  Don't you have identd in your logs?
> 
> AFAIU, identd should be running on client's box + ftpd server must be able to
> talk to it. Which ftpd has this capability?

maybe I didn't make myself clear; I mean, don't you have your tcpwrappers 
set up to log the auth info from the other side. Ftpd has nothing 
(little?) to do with it.

[REW: Well but what tcp wrappers do, could also be done by the ftp deamon
itself. I've seen ftp-deamons greet me with  "hello username@mymachine" 
where it filled in my username whenever I had an identd running]

Oct 17 11:41:28 kyojutsu wu.ftpd[16901]: connect from wvdputte@reptile.rug.ac.be
Oct 17 11:41:42 kyojutsu ftpd[16901]: USER guesttry
Oct 17 11:41:43 kyojutsu ftpd[16901]: PASS password
Oct 17 11:41:44 kyojutsu ftpd[16901]: failed login from reptile.rug.ac.be [157.193.69.63], guesttry
Oct 17 11:41:54 kyojutsu in.telnetd[16902]: connect from wvdputte@reptile.rug.ac.be


of course *you* can not trust this information, but *the other side* can 
try and track down who did it, depending on what they run on there (no 
use with a ppp account :-)


*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*
Wim Vandeputte                                --So pound the nails in tight-- 

home help back first fref pref prev next nref lref last post