need some help tracking down brute force attacker
last few days I've noticed that logwatch (which reports suspicious crap it finds in messages etc) shows that someone (localhost) is basically trying to connect to EVERY account listed in /etc/passwd using ftp.
Basically I see an authentication failure for ftp starting at root and finishing at the last virtual user, ie. someone is using some sort of script which reads the /etc/passwd (which is world-readable) in its entirety and then tries to make an ftp connection ..
The problem is, it's coming from 127.0.0.1 so I guess it has to be one user's script that does this ie. 1) reads /etc/passwd 2) attempts to connect via ftp with each account it finds in the passwd file, incl. system accounts root, squid etc
I tried looking at /var/log/dcpumon logs (5 min snapshops of top output) but it seems dcpumon doesn't archive yesterday's toplog.*** files
Has anyone got any ideas on how to track down the script which is reading the passwd file and making all these ftp connect attempts?
