2

I found a lot of lines (~900) similar to these in the last output of one of my hosts:

trustpor ftpd31576    www.trustport.co Tue Oct  1 10:03 - 10:03  (00:00)
trustpor ftpd31575    www.trustport.co Tue Oct  1 10:03 - 10:03  (00:00)
trustpor ftpd31574    www.trustport.co Tue Oct  1 10:03 - 10:03  (00:00)
trustpor ftpd31573    www.trustport.co Tue Oct  1 10:03 - 10:03  (00:00)
trustpor ftpd31572    www.trustport.co Tue Oct  1 10:03 - 10:03  (00:00)
trustpor ftpd31571    www.trustport.co Tue Oct  1 10:03 - 10:03  (00:00)

That user doesn't exist, and I can't understand the second column meaning (tty ok, but what are those ftpd* in detail?).

Example of /var/log/auth.log:

Oct  1 22:20:06 kermis proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd12006 ruser=trustportpro.download rhost=www.trustport.com
Oct  1 22:20:09 kermis proftpd: pam_unix(proftpd:auth): check pass; user unknown

I also add lastb output (empty):

btmp begins Tue Oct  1 06:52:36 2013

System logs show failed attempts to login with that user, but if those are failed, why do they appear in the last output? What could this be, some sort of external attack? How can I track this down on my system?

lorenzo.marcon
  • 1,027
  • 1
  • 11
  • 20
  • Check your web site for a (certainly invalid) link to `ftp://trustportpro.download@trustport.com` or something very similar. – Michael Hampton Oct 01 '13 at 22:20
  • Do you have FTP open to the Internet? Looks like it could possibly be someone trying to buteforce credentials to your FTP server. – Drew Chapin Oct 01 '13 at 22:22
  • @druciferre Yes I do.. but why is listed in last output if the attempts are failed? – lorenzo.marcon Oct 01 '13 at 22:23
  • If I understand your question correctly, and I probably don't. When someone is trying to brute force credentials to your server (be it FTP, SSH, HTTP, whatever), the failed attempts will appear in the auth.log regardless of whether the user exists on the server or not. If they didn't, how would you know a brute force is taking place? – Drew Chapin Oct 01 '13 at 22:28
  • In fact, they do appear on auth.log as failed attempts. But they also appear in last output, which should only show me the successful logins, as far as I know. That's why I am puzzled, and I don't know how to read this situation. – lorenzo.marcon Oct 01 '13 at 22:31
  • Oh, I misunderstood what you meant by "last". When dealing with a word with such ambiguity, you should put tick marks around it like so, `last` to indicate it's a command. I thought you meant the "last" (i.e. second) code block in your question. – Drew Chapin Oct 01 '13 at 22:36
  • Oh, you're right, I missed it. So, no clue about that? – lorenzo.marcon Oct 01 '13 at 22:37
  • To answer your question though, **trustpor** is a truncated username. Is there a legitimate user who's username starts with **trustpo** ? Or could you accidentally be running `lastb`? – Drew Chapin Oct 01 '13 at 22:38
  • found something inside /etc/proftpd/ftpusers.passwd.. a **trustportpro.download** user. But I'm still puzzled by the failed logins in logs and successful ones in `last` output. – lorenzo.marcon Oct 01 '13 at 22:45

0 Answers0