On Sun, 2004-07-18 at 09:07, Thomas Sapp wrote: > Here's one for you, I checked my system this morning and the hard drive > was going nuts. Here is the begining of the log information: > > Jul 17 07:40:43 Raisor vsftpd(pam_unix)[4691]: check pass; user unknown > Jul 17 07:40:43 Raisor vsftpd(pam_unix)[4691]: authentication failure; > and this continues to fill up my system log until this morning at 5:45AM > when I disabled the vsftpd service. I had only started it because I > needed a file from my computer at home while I was at work and forgot to > disable it last night! that'll teach me! Anyone know of any exploits > that this uses? There are no changed or weird files and a login was > never succeded from this attempt. the ip address that was being used > changed 3 times but it stayed on the same subnet. I blocked the entire > subnet but was wondering if anyone had any suggestions on what to check > on my system for possible intrusion? > Check your various log files. It appears someone was trying a brute force attack on your ftp service. You may want to use scp in the future for quick file transfers if you don't need a full blown ftp service. If you have tripwire run a report. I find tripwire invaluable in sorting out changes that have occurred on a system. There are a couple of other similar packages out there that do the same thing. If you don't have tripwire then you may be able to use rpm to compare what was installed has not been changed. (I assume rpm will allow for the prelink?) I think it is the verify option on rpm. -- Scot L. Harris webid@xxxxxxxxxx When a lion meets another with a louder roar, the first lion thinks the last a bore. -- G.B. Shaw