From owner-freebsd-questions Thu Jul 5 7:47:18 2001 Delivered-To: freebsd-questions@freebsd.org Received: from camel.kdsi.net (camel.kdsi.net [206.103.113.218]) by hub.freebsd.org (Postfix) with ESMTP id 98DB137B407 for ; Thu, 5 Jul 2001 07:47:12 -0700 (PDT) (envelope-from tony@camel.kdsi.net) Received: from camel.kdsi.net (leepcD-075.sub-d.lee.net [208.205.127.75]) (authenticated (0 bits)) by camel.kdsi.net (8.12.0.Beta10/8.12.0.Beta10) with ESMTP id f65EndKv015166; Thu, 5 Jul 2001 09:49:42 -0500 (CDT) Message-ID: <3B447D96.630698AA@camel.kdsi.net> Date: Thu, 05 Jul 2001 09:45:42 -0500 From: Tony Wells X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Rob Cc: "Freebsd-Questions@Freebsd. Org" Subject: Re: Is my FTP hacked? References: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Your pwd.db file should look like garbage when you look at it with an editor; that is because it is a hash file and not just ASCII text. Try 'file /etc/pwd.db' to learn more about what the format of the file is. Rob wrote: > > > I think someone may have hacked into my ftp... I've got this line in my > > /var/log/messages > > > > "Jul 5 10:03:50 www ftpd[8728]: /etc/pwd.db: No such file or > > directory"... > > > > is there any way I can see what account they logged in as and so > > on? or has > > something else happened? > > > > I've disabled FTP for the moment.... > OK - false alarm it seems... I used 'last' to track down who the user was at > 10:03... I've talked to him and he said he was just uploading some files > (for one of our websites)... I trust him, so I guess we weren't trying to be > hacked - but what happened to cause this error? > > If I look at passwd.db with pico /etc/pwd.db it has what looks like a load > of garbage on the first line... > then: > > # > # List of acceptable shells for chpass(1). > # Ftpd will not allow users to connect who are not using > # one of these shells. > > /bin/sh > /bin/csh > /nonexistent > > then the last line looks like a load of the usernames on the system followed > by a *lot* of ÿÿÿÿÿÿÿÿÿÿÿ symbols... > > What is going on ? :) > > -Rob > > -------------------------------- > http://www.robhulme.com > http://www.christianunion.org.uk > > "May the forks be with us." - Blue Raja (Mystery Men) > > Everything you've learned in school as "obvious" becomes less and less > obvious as you begin to study the universe. > For example, there are no solids in the universe. > There's not even a suggestion of a solid. There are no absolute > continuums. > There are no surfaces. There are no straight lines. > ---- R. Buckminster Fuller > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message