Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 05-04-2008, 09:04 PM   #1
Registered: Aug 2007
Posts: 346

Rep: Reputation: 31
daily vsftp unmatched entry, can't stop the person!

Here's my problem, vsftp is setup with no guest, no anonymous, and to use the local passwd file, users rooted to their home folder. For the past month, I have a connection from a specific IP and I can't stop it. I have 10 or so users, and I am watching as each day, some more than others the entire webfolder appearing in the syslog, example here;

Thu May 3 11:42:46 2007 1 w.x.y.z 3754 /rootfolder/site/folder/file.php b _ o r username ftp 0 * c

I blocked the IP at the iptables level; reloaded yet the next day it appeared again (the above is just one line example, as I said, the entire website (including subfolders) ) are shown in the syslog.

I added my IP to the top of connection drop list, and couldn't ssh in, ftp, etc. so I am not sure why/how that IP is appearing.

Has anyone seen anything similar or know of a solution? I mean the iptable drop should have taken care of that completely.

Old 05-04-2008, 10:53 PM   #2
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
It could be that you have a machine that has been root-kitted, and so the things that you are trying to do to stop this access are not actually doing anything. I would find a rootkit detector on the web (chkrootkit is the one I used several years ago, and see if your machine is infected. If so, you have probably read the drill on the web:

1. Disconnect this machine from the Internet !!!!
2. Once it is isolated, save your work off the machine, and rebuild it from sources that you trust. (I mean from files or ISO images that you trust, not necessarily compiling from source code yourself.)
3. Reinstall your apps and their data.
4. Put in a good set of firewall rules *BEFORE* you connect the machine back up to the 'Net.
5. I use tripwire for early detection of break-ins. It does not depend on any of the usual Un*x utilities being truthful; it examines the file system directly, and reports any changes that occur. It is, of course, up to you to know what changes are expected, and what might be damaging.

Sorry, and good luck.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
xargs: unmatched single quote akudewan Linux - Newbie 5 07-28-2014 12:16 PM
Advice? Best way to move files daily to a daily "date" named directory ziphem Linux - Newbie 2 04-15-2007 08:03 AM
Unnecessary daily process - how to stop ? wearetheborg Linux - Software 4 07-08-2006 01:47 AM
Can't stop anonymous vsftp users lagu2653 Linux - Networking 2 11-17-2005 09:54 PM
why does shorewall block my websites and vsftp stop postfix? Michele Linux - Newbie 5 06-18-2004 12:01 AM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 04:27 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration