Subject: Re: Crackers getting into FTPD ?
To: Mike Cheponis <mac@Wireless.Com>
From: James Sharp <jsharp@psychoses.org>
List: current-users
Date: 06/05/2001 23:06:51
> Apr 19 13:45:32 G ftpd[5190]: connection from 202.144.164.2 to G.Culver.Net
> Apr 20 17:13:29 G ftpd[6222]: connection from h24-78-185-192.vn.shawcable.net to G.Culver.Net
> Apr 22 11:03:35 G ftpd[7877]: connection from cm-12-39-79-137.bullhead.npg.ispchannel.com to G.Culver.Net
> Apr 22 13:22:12 G ftpd[7926]: connection from c73274-a.frmt1.sfba.home.com to G.Culver.Net
> Apr 23 01:35:08 G ftpd[8185]: connection from pD900AF7B.dip.t-dialin.net to G.Culver.Net
> Apr 29 21:06:29 G ftpd[14096]: connection from gosax1-194.dialup.optusnet.com.au to G.Culver.Net
> May  3 20:26:44 G ftpd[1070]: connection from pool21.primacom.net to G.Culver.Net
> May  4 21:18:49 G ftpd[1955]: connection from pD90309AC.dip.t-dialin.net to G.Culver.Net
> May  9 04:59:17 G ftpd[1798]: getpeername (ftpd): Socket is not connected
> May  9 19:41:36 G ftpd[2757]: connection from cc382751-b.narltn1.nj.home.com to G.Culver.Net
> May 18 08:03:16 G ftpd[18928]: connection from HSE-Toronto-ppp129951.sympatico.ca to G.Culver.Net
>
>
> How are these crackers getting access?  I have exactly ONE account on these
> machines, with a pretty darn non-obvious password.
>
> This is 1.5T
>

That's just them connecting...they're not actually authenticating and
logging in.  They're probing & poking to see if they can get in.