[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] hacker doing stuff
- Subject: Re: [cobalt-users] hacker doing stuff
- From: flash22@xxxxxxx
- Date: Thu May 24 08:33:36 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Thu, 24 May 2001, Gerald Waugh wrote:
> This guy hit three of my servers with mixed results.
> Question 1: "why the warning: /etc/hosts.allow, line 6" and
> "warning: /etc/hosts.deny, line 6,9"?
> These files do NOT have the domain listed at lines 6 or 9.
> In fact the domain is now listed at lines 230+ in
> hosts.deny.
> Question 2: Why did proftpd on fsn3 (RaQ4) allow a
> connection? And what could he do if he did connect?
Are you using domain names instead if IP addresses in these files?
This can cause spurious errors if the DNS if flaky for the IP address
connecting to you, i'd guess it didn't resolve for a while, and then your
nameservers finally got a reply and the authentication got further..
The connect is only that, a connection, he still had to log in with
username/password, so you should see that, if it's followed simply by a
closed connection message, he was most likely scanning IP addresses
looking at signon message from ftp to see version numbers to look for
machines with old insecure ftp's
I'm gonna guess you have syntax errors in your hosts.allow/deny files
check for trailing spaces/tabs and other odd things around those lines,
keep in mind the format for the access files changed a while back, i am
not completly certain proftp can read those files in all cases in which
inetd can...
ps: i get a fair amount of anonymous ftp scanning from .mx dialups
gsh
> gethostbyname(na-10-135.na.avantel.net.mx) failed
pps: gethostbyname maps domainname -> IP address (eg , this is the
resolver function that does forward dns lookups, reverse lookups are
gethostbyaddr() (usually)