possible attack?

Hi there. Today I just check my server and I did ps ax, and I discover this line:
Code:
53540  ??  Ss     0:00.00 ftpd: 219.234.86.20: connected: USER hope\r\n (ftpd)
I have no user "hope" on my computer and also no anonymous allowed.
It is possible to be an attack or something like this?
Anyway I stoped the ftpd. I use the built in ftpd, and I enable it through inetd. Should I install proftpd or another dedicated ftp server?

thanks
 
Are there any more logins with non-existing usernames?

If this is just a one off it's unlikely an attack.
 
SirDice said:
Are there any more logins with non-existing usernames?
Before stopping ftpd every time when I "ps ax" another user name was displayed from the same IP. That line was identically, just the user name differs.
BTW what tels me that line?
A user is connected through ftp or is trying to connect?
thanks
 
tangram said:
Are you sure the ftp isn't set to anonymous?
well, how can I check?
This is from FreeBSD handbook:
If you would like to enable anonymous FTP access to your server, then you must create a user named ftp on your FreeBSD system. Users will then be able to log on to your FTP server with a username of ftp or anonymous and with any password (by convention an email address for the user should be used as the password).
I haven't create a user named ftp, but I have a group named ftp in /etc/group
 
The process table will show any user as connected once they enter their IP address, even if they haven't enter a password yet (or have entered an incorrect password). Someone is clearly trying to hack into your ftp server, but is hopefully failing. You may want to consider setting up a firewall and only allowing ftp connections from specific IP addresses.

Adam
 
solved

well I restarted ftpd and check
Code:
ftp my.ftp.server
Connected to my.ftp.server.
220 ftp.server FTP server (Version 6.00LS) ready.
Name: anonymous
530 User anonymous unknown.
ftp: Login failed.
ftp>
I hope it's solved
thanks guys
 
I would agree with adamk.

I have a linux fileserver on my work network that is often hammered by brute-force attacks, looking for typical weak username-password combos (admin, administrator, MySQL, etc..). As long as you enforce good username/password practices, the attempts abort.
 
hirohitosan said:
Before stopping ftpd every time when I "ps ax" another user name was displayed from the same IP. That line was identically, just the user name differs.
Sounds like a pretty standard brute force attack, welcome to the internet.
 
Yep, dictionary attack in progress. It's almost impossible to have an open FTP port on the net and not be attacked. If at all possible, firewall your ftp port, run it on a different port, or make sure an absolute minimum of accounts (with non-too-obvious names) have access, with strong passwords.
 
Back
Top