OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: We've been compromised?
From: Faber Fedor (faberfedorYAHOO.COM)
Date: Wed Sep 13 2000 - 15:53:44 CDT

A client of mine recived a polite letter from the sysadmin of another
site stating that our machine had done a FTP port scan of his site.
The polite gent left an IP address (that we no longer own) and a time
stamp of when the "attack" occurred.

I've been through all of the logs, checked running processing, and
ran various "find" commands looking for files belong to certain
users, changed within the last 48 hours, etc. and the *only* thing I
found was an entry in wtmp (via the "last" command) that coincides
with the timestamp given from a user called "ftp" from a machine that
shouldn't, AFAIK, be connecting to us.

Now, user "ftp" has a blank in /etc/passwd where his shell would be.
I've tried logging in and ftping in as that user to no avail (yay!
:-). Yes, telnet is disabled.

My question is: now what?

TIA!

=====
Sincerely,

Faber Fedor
LinuxNJ.com - Linux and Open Source solutions for New Jersey

www.linuxnj.com

__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/