My server has recently been broken into using the anonymous FTP service. I don't know how it was done but the following happened according to /etc/messages: The hacker logged in using anonymous FTP and put in something binary as the password The password for one of the users was changed then the hacker logged in using that username and ran the "su" command to become root syslogd was restarted From this point on, logging was turned off on the server, and the su command didn't work any more. Two days later I set up the firewall rules to disable everything from outside except DNS, POP3 and ICMP. I haven't seen any more attacks since. I also noticed that the following programs were replaced: /bin/ls /bin/su /sbin/syslogd (And I am still looking for more) If this is a new bug, could you please contact me at kdanko and I will send you the log entries. I also made a copy of the hacker's /bin/ls command.
Created attachment 4164 [details] These are the entries from /etc/messages
Are you certain the cracker got in over anonymous ftp? I've just proofread the code, I can't find anything that could cause this (in wu-ftpd 2.6.1 from updates). If you're running a version prior to 2.6.1, it's a known problem (the user logs in as anything, then issues a couple of broken commands).
I am running 2.6.0
Update to 2.6.1 please; 2.6.0 has at least 2 known security problems.