A member of the proftpd mailing list and myself discovered a problem
with proftpd with mod_sqlpw.c optional module compiled in.

Unix last command reveals passwords where the username should be.
A patch was sent to the mailing list, however, the patch only protects
ftp localhost not ftp remotehost.

Johnie Ingram (Author of mod_sqlpw.c) was notified, as well as, the rest
of the mailing list.

I suggest the following work around:

<Global>
Wtemplog off
</Global>

Wtmplog details below:
WtmpLog

Syntax: WtmpLog on|off|NONE
Default: WtmpLog on
Context: server config, <VirtualHost>, <Anonymous>, <Global>
Compatibility: 1.1.7 and later

The WtmpLog directive controls proftpd's logging of ftp connections to
the host system's wtmp file (used by such commands
as `last'). By default, all connections are logged via wtmp.


 _Todd