Hewlett Packard Enterprise Community
Help
cancel
Turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ids-alert.log

David_711
Frequent Advisor
‎12-08-2004 04:42 AM
‎12-08-2004 04:42 AM

ids-alert.log

Hi,
My hids 9000 v2.2 in my hpux 11.11 is logging the following:
User 0 renamed a file to "/etc/passwd" executing /usr/lbin/ftpd(1,1493,"40000007") with arguments ["ftpd", "-l"] as PID:26249

My question is, why idsagent is reporting that the file /etc/passwd was renamed by ftpd, when nobody is using ftp??
What that mean?

Thanks a lot
David
0 Kudos
Reply
1 REPLY 1
Steven E. Protter
Exalted Contributor
‎12-08-2004 05:31 AM
‎12-08-2004 05:31 AM

Re: ids-alert.log

Well,

This report points out a few things. Your system thinks ftp was used to upload or change the /etc/passwd file.

Before you discount this, you might want to check /var/adm/syslog/syslog.log

You should be able to tie an ftp event back to the ids log.

It is possible someone used an ftp exploit to get root priviledges and do bad things to your /etc/passwd file.

That is a SERIOUS situation that requires immediate attention.

If nobody is supposed to be using ftp then disable the ftpd daemon in /etc/inetd.conf

Then:

inetd -c

I suppose this could be an ids bug. I would NOT count on that.

Even if root ftp is disabled as it should be in the ftpaccess file, there are buffer overflow exploits that can gain root priviledges.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply