Multiple FTP Login’s from my own IP?

[kimonostereo]

I watch my system.log and console constantly and have noticed that every day on both my servers I get multiple FTP LOGIN REFUSED: getpwnam returned null coming from my own IP address. There are about 3 attempts per second but I cannot figure out whats causing this. It’s happening on both my servers.

One is a MacPro running 10.4.8 Server Universal the other on a G4 running Server 10.4.7.

Anyone have any ideas?

[Steve St-Laurent]

No explanation here, but I can confirm seeing the same thing. My guess is it’s a dictionary login attack, which has yet to succeed here. What puzzles me is that it seems to ignore settings for "disable login after X unsuccessful attempts.

The IP address might be spoofed. I’ve seen Windows tools for IP spoofing.

In connection with that, a little story. I received a warning from my ISP about possible copyright violations : several downloads of movies from my IP addresses. The warning listed the date and times. I had a good laugh. You see, I was in the middle of moving at the time and had no machine connected to the Net at the time. ISP rep feigned ignorance when I explained IP spoofing.

[tim harris]

server ftpd[2953]: FTP LOGIN REFUSED: getpwnam returned null

about 3 a second…. even with FTP not running.

[beansbear]

I had this happening as well.

I killed ftp then blocked the port on the firewall and still nothing stopped it.

Then i checked process viewer and noticed that xftp was running. I killed it and it stopped.

Anyone know what xftp is doing running?

It wasn’t running on any other Mac OS X Server i have in the office.

I am running 10.4.10 OS X Server currently.

[tobi77]

I know it’s an older thread, but we are currently facing the same issue…

So has somebody found the real reason why this happens and how to solve it (without disabling ftp or using a different ftp server) ?

[mosx86]

Where is xftp installed? When it’s running, what user owns it?

[kimonostereo]

I think the fix for this was to kill any instance of xftp that was running. Still, I don’t know why xftp would be running or what causes it to launch.

[tobi77]

[QUOTE][u]Quote by: mosx86[/u][p]Where is xftp installed? When it’s running, what user owns it?[/p][/QUOTE]

It’s the default installation, no paths altered. The processes are owned by root.

[quote]I think the fix for this was to kill any instance of xftp that was running. Still, I don’t know why xftp would be running or what causes it to launch.[/quote]

It appears like a dictionary attack to me, which was confirmed by a user at the Apple discussions as well. The strange thing is just that I can’t figure out the origin IP address, it simply seems to start without warning (however I must confess having hundreds of such lines makes it not really easy to find something at the system log file, so likely I have overseen it).

[Author]

Posts