The Planet Forums > wierd stuff

The Planet Forums > Control Panels > Plesk

murshed

Jan 12 2003, 04:45 AM

hi

sometimes i check my /var/log/messages and i find strange things

this is what i got recently:

Jan 12 08:43:14 plesk proftpd[25685]: plesk.rackshack.net (p5086EB73.dip.t-dialin.net[80.134.235.115]) - FTP session opened.
Jan 12 08:43:14 plesk proftpd[25685]: plesk.rackshack.net (p5086EB73.dip.t-dialin.net[80.134.235.115]) - FTP session closed.
Jan 12 08:43:20 plesk proftpd[25688]: plesk.rackshack.net (AMontpellier-102-1-3-90.abo.wanadoo.fr[80.14.245.90]) - FTP session opened.
Jan 12 08:43:21 plesk proftpd[25688]: plesk.rackshack.net (AMontpellier-102-1-3-90.abo.wanadoo.fr[80.14.245.90]) - no such user 'anonymous'
Jan 12 08:43:21 plesk last message repeated 4 times
Jan 12 08:43:22 plesk proftpd[25688]: plesk.rackshack.net (AMontpellier-102-1-3-90.abo.wanadoo.fr[80.14.245.90]) - FTP session closed.
Jan 12 08:44:19 plesk proftpd[25701]: plesk.rackshack.net (161.Red-80-33-200.pooles.rima-tde.net[80.33.200.161]) - FTP session opened.
Jan 12 08:44:19 plesk proftpd[25701]: plesk.rackshack.net (161.Red-80-33-200.pooles.rima-tde.net[80.33.200.161]) - FTP session closed.

what is it exactly and who it trying to FTP me?
the time between the open and closed session is to short and i don't have any anonymous accounts on my server

is it serious?

what is the difference between /var/log/messages and log/access_log in plesk directroy?

thanks

micxz

Feb 12 2003, 03:53 PM

QUOTE

Originally posted by murshed
hi

sometimes i check my /var/log/messages and i find strange things

this is what i got recently:

Jan 12 08:43:14 plesk proftpd[25685]: plesk.rackshack.net (p5086EB73.dip.t-dialin.net[80.134.235.115]) - FTP session opened.
Jan 12 08:43:14 plesk proftpd[25685]: plesk.rackshack.net (p5086EB73.dip.t-dialin.net[80.134.235.115]) - FTP session closed.
Jan 12 08:43:20 plesk proftpd[25688]: plesk.rackshack.net (AMontpellier-102-1-3-90.abo.wanadoo.fr[80.14.245.90]) - FTP session opened.
Jan 12 08:43:21 plesk proftpd[25688]: plesk.rackshack.net (AMontpellier-102-1-3-90.abo.wanadoo.fr[80.14.245.90]) - no such user 'anonymous'
Jan 12 08:43:21 plesk last message repeated 4 times
Jan 12 08:43:22 plesk proftpd[25688]: plesk.rackshack.net (AMontpellier-102-1-3-90.abo.wanadoo.fr[80.14.245.90]) - FTP session closed.
Jan 12 08:44:19 plesk proftpd[25701]: plesk.rackshack.net (161.Red-80-33-200.pooles.rima-tde.net[80.33.200.161]) - FTP session opened.
Jan 12 08:44:19 plesk proftpd[25701]: plesk.rackshack.net (161.Red-80-33-200.pooles.rima-tde.net[80.33.200.161]) - FTP session closed.

what is it exactly and who it trying to FTP me?
the time between the open and closed session is to short and i don't have any anonymous accounts on my server

is it serious?

what is the difference between /var/log/messages and log/access_log in plesk directroy?

thanks

It's not all that wierd. Happens all day. If you have a server on the internet people bound to try and login to it.

"/var/log/messages" is the system log file ("syslog"). Main messages from various programs are logged here depending on how you setup your logging.

"log/access_log" looks to me like the apache's access log. apache is the webserver that comes w/plesk, and it's logs access and errors to different log files depending on how you configure it. By default it uses two files, "access_log" & "error_log". And you can tell what information they log by they're names.

ALSO my "/etc/hosts.deny" file looks like so:

# Deny Chello.nl
ALL: .chello.be
ALL: .chello.nl
ALL: .chello.at
ALL: .chello.com
ALL: .chello.net
# Deny France ISP
ALL: .wanadoo.fr
ALL: .club-internet.fr
# Deny Stupid dialin.net
ALL: .t-dialin.net
# Stupid Italy ftp hacker;
ALL: .interbusiness.it
# damn taiwan hacker;
ALL: .tnc.edu.tw

murshed

Feb 13 2003, 02:23 AM

thanks man:)

micxz

Feb 13 2003, 02:32 AM

sure, make sure you install a firewall and drop those IP's into IPchains as well!
(covered in another thread)

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.