# possible attack?



## hirohitosan (Mar 30, 2009)

Hi there. Today I just check my server and I did ps ax, and I discover this line:

```
53540  ??  Ss     0:00.00 ftpd: 219.234.86.20: connected: USER hope\r\n (ftpd)
```
I have no user "hope" on my computer and also no anonymous allowed.
It is possible to be an attack or something like this?
Anyway I stoped the ftpd. I use the built in ftpd, and I enable it through inetd. Should I install proftpd or another dedicated ftp server?

thanks


----------



## SirDice (Mar 30, 2009)

Are there any more logins with non-existing usernames?

If this is just a one off it's unlikely an attack.


----------



## hirohitosan (Mar 30, 2009)

SirDice said:
			
		

> Are there any more logins with non-existing usernames?


Before stopping ftpd every time when I "ps ax" another user name was displayed from the same IP. That line was identically, just the user name differs.
BTW what tels me that line?
A user is connected through ftp or is trying to connect?
thanks


----------



## tangram (Mar 30, 2009)

Are you sure the ftp isn't set to anonymous?


----------



## hirohitosan (Mar 30, 2009)

tangram said:
			
		

> Are you sure the ftp isn't set to anonymous?


well, how can I check?
This is from FreeBSD handbook:


> If you would like to enable anonymous FTP access to your server, then you must create a user named ftp on your FreeBSD system. Users will then be able to log on to your FTP server with a username of ftp or anonymous and with any password (by convention an email address for the user should be used as the password).


I haven't create a user named ftp, but I have a group named ftp in /etc/group


----------



## adamk (Mar 30, 2009)

The process table will show any user as connected once they enter their IP address, even if they haven't enter a password yet (or have entered an incorrect password).  Someone is clearly trying to hack into your ftp server, but is hopefully failing.  You may want to consider setting up a firewall and only allowing ftp connections from specific IP addresses.

Adam


----------



## hirohitosan (Mar 30, 2009)

*solved*

well I restarted ftpd and check

```
ftp my.ftp.server
Connected to my.ftp.server.
220 ftp.server FTP server (Version 6.00LS) ready.
Name: anonymous
530 User anonymous unknown.
ftp: Login failed.
ftp>
```
I hope it's solved
thanks guys


----------



## SeanC (Mar 30, 2009)

I would agree with adamk.

I have a linux fileserver on my work network that is often hammered by brute-force attacks, looking for typical weak username-password combos (admin, administrator, MySQL, etc..). As long as you enforce good username/password practices, the attempts abort.


----------



## SirDice (Mar 31, 2009)

hirohitosan said:
			
		

> Before stopping ftpd every time when I "ps ax" another user name was displayed from the same IP. That line was identically, just the user name differs.


Sounds like a pretty standard brute force attack, welcome to the internet.


----------



## DutchDaemon (Mar 31, 2009)

Yep, dictionary attack in progress. It's almost impossible to have an open FTP port on the net and not be attacked. If at all possible, firewall your ftp port, run it on a different port, or make sure an absolute minimum of accounts (with non-too-obvious names) have access, with strong passwords.


----------



## Carpetsmoker (Apr 1, 2009)

Does ftp daemon support SIGINT signal? Maybe that can be used to get some info (# kill -SIGINT <pid>)


----------

