[1231] in linux-security and linux-alert archive
Re: Re[2]: [linux-security] Attempt to break through ftp
daemon@ATHENA.MIT.EDU (Comfort is Treachery)
Fri Oct 18 02:36:00 1996
Date: Thu, 17 Oct 1996 10:47:38 +0100 (MET)
From: Comfort is Treachery <wvdputte@reptile.rug.ac.be>
To: Evgeny Stambulchik <fnevgeny@plasma-gate.weizmann.ac.il>
cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199610161603.SAA10416@plasma.weizmann.ac.il>
On Wed, 16 Oct 1996, Evgeny Stambulchik wrote:
> Comfort is Treachery <wvdputte@reptile.rug.ac.be> wrote:
>
> > Don't you have identd in your logs?
>
> AFAIU, identd should be running on client's box + ftpd server must be able to
> talk to it. Which ftpd has this capability?
maybe I didn't make myself clear; I mean, don't you have your tcpwrappers
set up to log the auth info from the other side. Ftpd has nothing
(little?) to do with it.
[REW: Well but what tcp wrappers do, could also be done by the ftp deamon
itself. I've seen ftp-deamons greet me with "hello username@mymachine"
where it filled in my username whenever I had an identd running]
Oct 17 11:41:28 kyojutsu wu.ftpd[16901]: connect from wvdputte@reptile.rug.ac.be
Oct 17 11:41:42 kyojutsu ftpd[16901]: USER guesttry
Oct 17 11:41:43 kyojutsu ftpd[16901]: PASS password
Oct 17 11:41:44 kyojutsu ftpd[16901]: failed login from reptile.rug.ac.be [157.193.69.63], guesttry
Oct 17 11:41:54 kyojutsu in.telnetd[16902]: connect from wvdputte@reptile.rug.ac.be
of course *you* can not trust this information, but *the other side* can
try and track down who did it, depending on what they run on there (no
use with a ppp account :-)
*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*
Wim Vandeputte --So pound the nails in tight--