No explanation here, but I can confirm seeing the same thing. My guess is it’s a dictionary login attack, which has yet to succeed here. What puzzles me is that it seems to ignore settings for "disable login after X unsuccessful attempts.

The IP address might be spoofed. I’ve seen Windows tools for IP spoofing.

In connection with that, a little story. I received a warning from my ISP about possible copyright violations : several downloads of movies from my IP addresses. The warning listed the date and times. I had a good laugh. You see, I was in the middle of moving at the time and had no machine connected to the Net at the time. ISP rep feigned ignorance when I explained IP spoofing.

I had this happening as well.

I killed ftp then blocked the port on the firewall and still nothing stopped it.

Then i checked process viewer and noticed that xftp was running. I killed it and it stopped.

Anyone know what xftp is doing running?

It wasn’t running on any other Mac OS X Server i have in the office.

I am running 10.4.10 OS X Server currently.

Where is xftp installed? When it’s running, what user owns it?

[QUOTE][u]Quote by: mosx86[/u][p]Where is xftp installed? When it’s running, what user owns it?[/p][/QUOTE]

It’s the default installation, no paths altered. The processes are owned by root.

[quote]I think the fix for this was to kill any instance of xftp that was running. Still, I don’t know why xftp would be running or what causes it to launch.[/quote]

It appears like a dictionary attack to me, which was confirmed by a user at the Apple discussions as well. The strange thing is just that I can’t figure out the origin IP address, it simply seems to start without warning (however I must confess having hundreds of such lines makes it not really easy to find something at the system log file, so likely I have overseen it).