darwinos-users-bounces+lars.sonchocky-helldorf=email@hidden
wrote on 30.03.2005 17:48:25:
> [no need to cross post, replying on users only]
>
> On Mar 30, 2005, at 4:11 AM, Lars Sonchocky-Helldorf wrote:
>
> > I discovered recently that my /var/log/secure.log contains just one
> > line:
> >
> > Apr 9 22:10:34 localhost ftpd[772]: FTP LOGIN FAILED FROM
> > 172.23.56.107,
> > lars
> >
> > and has a modification date from the same time:
> >
> > [Lars-Sonchocky-Helldorfs-Computer:~] lars% ls -al /var/log/secure.log
> > -rw------- 1 root admin 79 Apr 9 2003 /var/log/secure.log
> > [Lars-Sonchocky-Helldorfs-Computer:~] lars%
>
> > What is going on here?
>
> You have FTP enabled? If so then someone tried to log via FTP to your
> system.
That line from the log was caused by myself ...
>
> > Am I rootkitted?
>
> Maybe I am missing something from you email but why do you believe that?
... what really bugs me here that this is the *only* line in this log. If
I *for testing* do a wrong login attempt I don't see any trace from this
in that log, also not from successfull logins. Nothing gets ever appended
to that log ... *that* is strange
>
> > Any other idea what could be the cause for that (and what I can do to
> > find it out)?
>
> A cause for the log message? If so then someone is probing your system
> attempting to see if they can get in.
>
> Note I got these just today (don't have FTP enabled) on the only system
> I have ssh mapped to the outside world from...
>
> Mar 30 04:13:56 Cube xinetd[357]: service ssh, IPV6_ADDRFORM
> setsockopt() failed: Protocol not available (errno = 42)
> Mar 30 04:13:56 Cube xinetd[357]: START: ssh pid=2989
> from=129.177.98.124
> Mar 30 04:13:56 Cube sshd[2987]: reverse mapping checking getaddrinfo
> for syvertsen.nsd.uib.no failed - POSSIBLE BREAKIN ATTEMPT!
> Mar 30 04:13:58 Cube sshd[2989]: Illegal user hack from 129.177.98.124
> Mar 30 04:13:58 Cube xinetd[357]: service ssh, IPV6_ADDRFORM
> setsockopt() failed: Protocol not available (errno = 42)
> Mar 30 04:13:58 Cube xinetd[357]: START: ssh pid=2991
> from=129.177.98.124
> Mar 30 04:13:59 Cube sshd[2989]: reverse mapping checking getaddrinfo
> for syvertsen.nsd.uib.no failed - POSSIBLE BREAKIN ATTEMPT!
> Mar 30 04:14:01 Cube sshd[2991]: Illegal user idiot from 129.177.98.124
> Mar 30 04:14:01 Cube xinetd[357]: service ssh, IPV6_ADDRFORM
> setsockopt() failed: Protocol not available (errno = 42)
> Mar 30 04:14:01 Cube xinetd[357]: START: ssh pid=2993
> from=129.177.98.124
> Mar 30 04:14:02 Cube sshd[2991]: reverse mapping checking getaddrinfo
> for syvertsen.nsd.uib.no failed - POSSIBLE BREAKIN ATTEMPT!
> Mar 30 04:14:03 Cube sshd[2993]: Illegal user mama from 129.177.98.124
this is like what I would have expected.
>
> -Shawn
Lars
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwinos-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
