HPE Community
Operating System - HP-UX
1833042 Members
2469 Online
110049 Solutions
New Discussion

ids-alert.log

 
David_711
Frequent Advisor

‎12-08-2004 04:42 AM

‎12-08-2004 04:42 AM

ids-alert.log

Hi,
My hids 9000 v2.2 in my hpux 11.11 is logging the following:
User 0 renamed a file to "/etc/passwd" executing /usr/lbin/ftpd(1,1493,"40000007") with arguments ["ftpd", "-l"] as PID:26249

My question is, why idsagent is reporting that the file /etc/passwd was renamed by ftpd, when nobody is using ftp??
What that mean?

Thanks a lot
David
0 Kudos
Reply
1 REPLY 1
Steven E. Protter
Exalted Contributor

‎12-08-2004 05:31 AM

‎12-08-2004 05:31 AM

Re: ids-alert.log

Well,

This report points out a few things. Your system thinks ftp was used to upload or change the /etc/passwd file.

Before you discount this, you might want to check /var/adm/syslog/syslog.log

You should be able to tie an ftp event back to the ids log.

It is possible someone used an ftp exploit to get root priviledges and do bad things to your /etc/passwd file.

That is a SERIOUS situation that requires immediate attention.

If nobody is supposed to be using ftp then disable the ftpd daemon in /etc/inetd.conf

Then:

inetd -c

I suppose this could be an ids bug. I would NOT count on that.

Even if root ftp is disabled as it should be in the ftpaccess file, there are buffer overflow exploits that can gain root priviledges.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.