Topic: FTP session opened. possable break in attempt ??

[funkusmunkus]

Hi all,

I was going through the logs and found this :
Oct 11 23:46:50 servername proftpd[8482]: servername.domainname (66.216.144.24[66.216.144.24]) - FTP session opened

now i checked that address out and it takes you to critical vision portal which does (  Introducing CriticalVision Monitoring Service )
Now why the hell would they try to ftp to my server.
I didn't ask them to, someone must have. anyway i found an ibay that i set up ages ago and it was set to
User access via file sharing or user ftp write=group read=everyone
Public access via web or anonymous ftp entire internet (no password required)

so i changed that, at the moment only one person logs on via ftp to upload and download files from that one ibay, are those changes that i made enough ?
or is there something else i should look into ?

I did run rkhunter and it gave me the all clear signal, and the server is v5.6 U6  behind a firewall/router.

cheers

[cc_skavenger]

probably someone wanting to see what they could see....

[funkusmunkus]

Ok now i'm getting a little worried, the one user who FTPs to the server called me up saying that he could connect, my first reaction was it might have something to do with the changes i made, so i changed them back, and he still couldn't get on, i reviewd the logs and there was no record of him trying to connect, so i checked the router, and the record of forwarding port 21 was gone, i had to recreate it.

but i didn't find anything else in the logs, and unless they had the admin password i couldn't see how they did any damage.

any ideas ?
cheers