From owner-freebsd-questions Thu Jul 5 6:41:33 2001 Delivered-To: freebsd-questions@freebsd.org Received: from buffnet4.buffnet.net (buffnet4.buffnet.net [205.246.19.13]) by hub.freebsd.org (Postfix) with ESMTP id 1FF6437B401 for ; Thu, 5 Jul 2001 06:41:29 -0700 (PDT) (envelope-from shovey@buffnet.net) Received: from buffnet11.buffnet.net (buffnet11.buffnet.net [205.246.19.55]) by buffnet4.buffnet.net (8.9.3/8.8.7) with ESMTP id JAA85530; Thu, 5 Jul 2001 09:50:12 -0400 (EDT) (envelope-from shovey@buffnet.net) Date: Thu, 5 Jul 2001 09:41:13 -0400 (EDT) From: Stephen Hovey To: Rob Cc: "Freebsd-Questions@Freebsd. Org" Subject: RE: Is my FTP hacked? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Looks to my like pwd.db got corrupted. Recreate it - (or it will recreate itself next time you edit the password stuff with vipw) On Thu, 5 Jul 2001, Rob wrote: >=20 > > I think someone may have hacked into my ftp... I've got this line in my > > /var/log/messages > > > > "Jul 5 10:03:50 www ftpd[8728]: /etc/pwd.db: No such file or > > directory"... > > > > is there any way I can see what account they logged in as and so > > on? or has > > something else happened? > > > > I've disabled FTP for the moment.... > OK - false alarm it seems... I used 'last' to track down who the user was= at > 10:03... I've talked to him and he said he was just uploading some files > (for one of our websites)... I trust him, so I guess we weren't trying to= be > hacked - but what happened to cause this error? >=20 > If I look at passwd.db with pico /etc/pwd.db it has what looks like a loa= d > of garbage on the first line... > then: >=20 > # > # List of acceptable shells for chpass(1). > # Ftpd will not allow users to connect who are not using > # one of these shells. >=20 > /bin/sh > /bin/csh > /nonexistent >=20 > then the last line looks like a load of the usernames on the system follo= wed > by a *lot* of =FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF symbols... >=20 > What is going on ? :) >=20 > -Rob >=20 > -------------------------------- > http://www.robhulme.com > http://www.christianunion.org.uk >=20 > "May the forks be with us." - Blue Raja (Mystery Men) >=20 > Everything you've learned in school as "obvious" becomes less and less > obvious as you begin to study the universe. > For example, there are no solids in the universe. > There's not even a suggestion of a solid. There are no absolute > continuums. > There are no surfaces. There are no straight lines. > ---- R. Buckminster Fuller >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message