Re: Is messages showing a hack attempt?

From: Brian Wakem (no_at_email.com)
Date: 08/23/05 

Date: Tue, 23 Aug 2005 22:34:39 +0100

news@celticbear.com wrote:

> Aug 23 10:14:12 server1 ftpd[9278]: FTP session closed
> Aug 23 15:15:32 server1 ftpd[5575]: duane of ded140223210.yhti.net
> [66.140.223.210] created directory /www/home/printingautomati
> on/proofs/30220
> Aug 23 15:15:43 server1 ftpd[9450]: FTP LOGIN FROM
> ded140223210.yhti.net [66.140.223.210], duane
> Aug 23 15:15:43 server1 ftpd[9451]: FTP LOGIN FROM
> ded140223210.yhti.net [66.140.223.210], duane
> Aug 23 15:16:19 server1 ftpd[9451]: FTP session closed
> Aug 23 15:17:05 server1 ftpd[9450]: FTP session closed
> Aug 23 10:19:11 server1 ftpd[9653]: FTP session closed
> Aug 23 10:24:12 server1 ftpd[9981]: FTP session closed
> Aug 23 10:29:11 server1 ftpd[10405]: FTP session closed
> Aug 23 15:29:34 server1 ftpd[10430]: FTP LOGIN FROM fileserve [our
> server2 IP], duane
> Aug 23 15:29:34 server1 ftpd[10431]: FTP LOGIN FROM fileserve [our
> server2 IP], publicpa
> Aug 23 15:29:34 server1 ftpd[10432]: FTP LOGIN FROM fileserve [our
> server2 IP], ftpmarket
> Aug 23 10:34:11 server1 ftpd[10898]: FTP session closed
> Thanks for any help!!
> Liam

Run rkhunter and/or chkrootkit to see if anything obvious shows up. In
which case you may be able to find a simple solution. But, as others have
said, wipe and re-install may well be the way to go. 

-- 
Brian Wakem
Email: http://homepage.ntlworld.com/b.wakem/myemail.png