daily vsftp unmatched entry, can't stop the person!
 

Here's my problem, vsftp is setup with no guest, no anonymous, and to use the local passwd file, users rooted to their home folder. For the past month, I have a connection from a specific IP and I can't stop it. I have 10 or so users, and I am watching as each day, some more than others the entire webfolder appearing in the syslog, example here;

Thu May 3 11:42:46 2007 1 w.x.y.z 3754 /rootfolder/site/folder/file.php b _ o r username ftp 0 * c

I blocked the IP at the iptables level; reloaded yet the next day it appeared again (the above is just one line example, as I said, the entire website (including subfolders) ) are shown in the syslog.

I added my IP to the top of connection drop list, and couldn't ssh in, ftp, etc. so I am not sure why/how that IP is appearing.

Has anyone seen anything similar or know of a solution? I mean the iptable drop should have taken care of that completely.

Thanks.

It could be that you have a machine that has been root-kitted, and so the things that you are trying to do to stop this access are not actually doing anything. I would find a rootkit detector on the web (chkrootkit is the one I used several years ago, and see if your machine is infected. If so, you have probably read the drill on the web:

1. Disconnect this machine from the Internet !!!!
2. Once it is isolated, save your work off the machine, and rebuild it from sources that you trust. (I mean from files or ISO images that you trust, not necessarily compiling from source code yourself.)
3. Reinstall your apps and their data.
4. Put in a good set of firewall rules *BEFORE* you connect the machine back up to the 'Net.
5. I use tripwire for early detection of break-ins. It does not depend on any of the usual Un*x utilities being truthful; it examines the file system directly, and reports any changes that occur. It is, of course, up to you to know what changes are expected, and what might be damaging.

Sorry, and good luck.