I looked in /var/log/messages today and found a bunch of logs like this:
Jan 28 22:47:37 server1 pure-ftpd[12566]: (?@212.17.64.157) [INFO] Logout - CPU time spent: 0.000 seconds.
Jan 28 22:47:38 server1 pure-ftpd[12570]: (?@212.17.64.157) [WARNING] Authentication failed for user [root]
Jan 28 22:47:41 server1 pure-ftpd[12570]: (?@212.17.64.157) [INFO] Logout - CPU time spent: 0.000 seconds.
Jan 28 22:47:44 server1 pure-ftpd[12574]: (?@212.17.64.157) [INFO] New connection from 212.17.64.157
Jan 28 22:47:45 server1 pure-ftpd[12574]: (?@212.17.64.157) [WARNING] Authentication failed for user [root]
Jan 28 22:47:48 server1 pure-ftpd[12574]: (?@212.17.64.157) [INFO] Logout - CPU time spent: 0.010 seconds.
Jan 28 22:47:50 server1 pure-ftpd[12578]: (?@212.17.64.157) [INFO] New connection from 212.17.64.157
Jan 28 22:47:52 server1 pure-ftpd[12578]: (?@212.17.64.157) [WARNING] Authentication failed for user [root]
Jan 28 22:47:55 server1 pure-ftpd[12582]: (?@212.17.64.157) [INFO] New connection from 212.17.64.157
Jan 28 22:47:55 server1 pure-ftpd[12578]: (?@212.17.64.157) [INFO] Logout - CPU time spent: 0.000 seconds.
Jan 28 22:47:57 server1 pure-ftpd[12582]: (?@212.17.64.157) [WARNING] Authentication failed for user [root]
Jan 28 22:47:58 server1 pure-ftpd[12586]: (?@212.17.64.157) [INFO] New connection from 212.17.64.157
Jan 28 22:48:00 server1 pure-ftpd[12582]: (?@212.17.64.157) [INFO] Logout - CPU time spent: 0.000 seconds.
Jan 28 22:48:00 server1 pure-ftpd[12586]: (?@212.17.64.157) [WARNING] Authentication failed for user [root]
Jan 28 22:48:03 server1 pure-ftpd[12586]: (?@212.17.64.157) [INFO] Logout - CPU time spent: 0.010 seconds.
Jan 28 22:48:23 server1 pure-ftpd[12599]: (?@212.17.64.157) [INFO] New connection from 212.17.64.157
Jan 28 22:48:25 server1 pure-ftpd[12599]: (?@212.17.64.157) [WARNING] Authentication failed for user [root]
Jan 28 22:48:29 server1 pure-ftpd[12603]: (?@212.17.64.157) [INFO] New connection from 212.17.64.157
Jan 28 22:48:31 server1 pure-ftpd[12603]: (?@212.17.64.157) [WARNING] Authentication failed for user [root]
Jan 28 22:48:34 server1 pure-ftpd[12603]: (?@212.17.64.157) [INFO] Logout - CPU time spent: 0.000 seconds.
Jan 28 22:48:36 server1 pure-ftpd[12599]: (?@212.17.64.157) [INFO] Logout - CPU time spent: 0.000 seconds.
Jan 28 22:48:36 server1 pure-ftpd[12607]: (?@212.17.64.157) [INFO] New connection from 212.17.64.157
Jan 28 22:48:38 server1 pure-ftpd[12607]: (?@212.17.64.157) [WARNING] Authentication failed for user [root]
Jan 28 22:48:39 server1 pure-ftpd[12611]: (?@212.17.64.157) [INFO] New connection from 212.17.64.157
Jan 28 22:48:41 server1 pure-ftpd[12611]: (?@212.17.64.157) [WARNING] Authentication failed for user [root]
Jan 28 22:48:41 server1 pure-ftpd[12607]: (?@212.17.64.157) [INFO] Logout - CPU time spent: 0.000 seconds.
Jan 28 22:48:42 server1 pure-ftpd[12615]: (?@212.17.64.157) [INFO] New connection from 212.17.64.157
Jan 28 22:48:44 server1 pure-ftpd[12611]: (?@212.17.64.157) [INFO] Logout - CPU time spent: 0.000 seconds.
Jan 28 22:48:44 server1 pure-ftpd[12615]: (?@212.17.64.157) [WARNING] Authentication failed for user [root]
Jan 28 22:48:46 server1 pure-ftpd[12619]: (?@212.17.64.157) [INFO] New connection from 212.17.64.157
Jan 28 22:48:48 server1 pure-ftpd[12619]: (?@212.17.64.157) [WARNING] Authentication failed for user [root]
Jan 28 22:48:49 server1 pure-ftpd[4091]: (?@?) [WARNING] Too many connections (3) from this IP: [212.17.64.157]
Full Version: Someone Attempting to access root?
What would this mean from my access_log?
63.138.219.162 - - [28/Jan/2004:01:04:02 -0500] "OPTIONS / HTTP/1.1" 200 -
63.138.219.162 - - [28/Jan/2004:01:04:02 -0500] "OPTIONS / HTTP/1.1" 200 -
63.138.219.162 - - [28/Jan/2004:01:04:03 -0500] "OPTIONS / HTTP/1.1" 200 -
63.138.219.162 - - [28/Jan/2004:01:04:03 -0500] "OPTIONS / HTTP/1.1" 200 -
217.224.91.216 - - [27/Jan/2004:17:46:57 -0500] "GET /NULL.printer" 404 -
217.224.91.216 - - [27/Jan/2004:17:46:57 -0500] "GET /NULL.printer" 404 -
140.99.35.54 - - [27/Jan/2004:10:30:18 -0500] "x80x82x01x03x01" 501 -
140.99.35.54 - - [27/Jan/2004:10:30:18 -0500] "x16x03" 501 -
140.99.35.54 - - [27/Jan/2004:10:31:49 -0500] "x801x01" 501 -
200.158.138.80 - - [28/Jan/2004:15:22:38 -0500] "GET /sumthin HTTP/1.1" 404 -
200.158.138.80 - - [28/Jan/2004:15:22:38 -0500] "GET /sumthin HTTP/1.1" 404 -
200.158.138.80 - - [28/Jan/2004:15:22:38 -0500] "GET /sumthin HTTP/1.1" 404 -
200.158.138.80 - - [28/Jan/2004:15:22:39 -0500] "GET /sumthin HTTP/1.1" 404 -
63.138.219.162 - - [28/Jan/2004:01:04:02 -0500] "OPTIONS / HTTP/1.1" 200 -
63.138.219.162 - - [28/Jan/2004:01:04:02 -0500] "OPTIONS / HTTP/1.1" 200 -
63.138.219.162 - - [28/Jan/2004:01:04:03 -0500] "OPTIONS / HTTP/1.1" 200 -
63.138.219.162 - - [28/Jan/2004:01:04:03 -0500] "OPTIONS / HTTP/1.1" 200 -
217.224.91.216 - - [27/Jan/2004:17:46:57 -0500] "GET /NULL.printer" 404 -
217.224.91.216 - - [27/Jan/2004:17:46:57 -0500] "GET /NULL.printer" 404 -
140.99.35.54 - - [27/Jan/2004:10:30:18 -0500] "x80x82x01x03x01" 501 -
140.99.35.54 - - [27/Jan/2004:10:30:18 -0500] "x16x03" 501 -
140.99.35.54 - - [27/Jan/2004:10:31:49 -0500] "x801x01" 501 -
200.158.138.80 - - [28/Jan/2004:15:22:38 -0500] "GET /sumthin HTTP/1.1" 404 -
200.158.138.80 - - [28/Jan/2004:15:22:38 -0500] "GET /sumthin HTTP/1.1" 404 -
200.158.138.80 - - [28/Jan/2004:15:22:38 -0500] "GET /sumthin HTTP/1.1" 404 -
200.158.138.80 - - [28/Jan/2004:15:22:39 -0500] "GET /sumthin HTTP/1.1" 404 -
Looks like that is the case. Usually root will not allow FTP, but I would probably ban that ip.
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/d.../copyright.html
inetnum: 212.17.64.0 - 212.17.127.255
netname: AT-TELEKABEL-980716
descr: Telekabel are Cable-TV operator and
descr: provide TV, Radio and Data service over cable
descr: in Vienna, Graz and Klagenfurt.
country: AT
admin-c: LG40-RIPE
tech-c: HTK1-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: CHELLO-MNT
mnt-routes: CHELLO-MNT
changed: hostmaster@ripe.net 19980716
changed: hostmaster@ripe.net 20010719
source: RIPE
route: 212.17.64.0/19
descr: UPC Technology
origin: AS6830
mnt-by: CHELLO-MNT
changed: hostmaster@chello.at 20020716
source: RIPE
role: Hostmaster Telekabel Wien
address: chello Broadband GmbH
address: Internet Services
address: Reumannplatz 7
address: A-1100 Vienna
address: Austria
phone: +43 1 96062 5000
fax-no: +43 1 96062 5666
e-mail: hostmaster@chello.at
trouble: help@chello.at
admin-c: AK991-RIPE
tech-c: SB666-RIPE
tech-c: MH392-RIPE
tech-c: AK991-RIPE
nic-hdl: HTK1-RIPE
notify: hostmaster@chello.at
mnt-by: CHELLO-MNT
changed: hostmaster@chello.at 20020318
source: RIPE
person: Lorenz Glatz
address: UPC Technology
address: Erlachgasse 116
address: A-1100 Vienna
address: Austria
phone: +43 1 96068
fax-no: +43 1 96068 5666
e-mail: lglatz@upctechnology.com
nic-hdl: LG40-RIPE
notify: lglatz@upctechnology.com
mnt-by: CHELLO-MNT
changed: hostmaster@chello.at 20030626
source: RIPE
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/d.../copyright.html
inetnum: 212.17.64.0 - 212.17.127.255
netname: AT-TELEKABEL-980716
descr: Telekabel are Cable-TV operator and
descr: provide TV, Radio and Data service over cable
descr: in Vienna, Graz and Klagenfurt.
country: AT
admin-c: LG40-RIPE
tech-c: HTK1-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: CHELLO-MNT
mnt-routes: CHELLO-MNT
changed: hostmaster@ripe.net 19980716
changed: hostmaster@ripe.net 20010719
source: RIPE
route: 212.17.64.0/19
descr: UPC Technology
origin: AS6830
mnt-by: CHELLO-MNT
changed: hostmaster@chello.at 20020716
source: RIPE
role: Hostmaster Telekabel Wien
address: chello Broadband GmbH
address: Internet Services
address: Reumannplatz 7
address: A-1100 Vienna
address: Austria
phone: +43 1 96062 5000
fax-no: +43 1 96062 5666
e-mail: hostmaster@chello.at
trouble: help@chello.at
admin-c: AK991-RIPE
tech-c: SB666-RIPE
tech-c: MH392-RIPE
tech-c: AK991-RIPE
nic-hdl: HTK1-RIPE
notify: hostmaster@chello.at
mnt-by: CHELLO-MNT
changed: hostmaster@chello.at 20020318
source: RIPE
person: Lorenz Glatz
address: UPC Technology
address: Erlachgasse 116
address: A-1100 Vienna
address: Austria
phone: +43 1 96068
fax-no: +43 1 96068 5666
e-mail: lglatz@upctechnology.com
nic-hdl: LG40-RIPE
notify: lglatz@upctechnology.com
mnt-by: CHELLO-MNT
changed: hostmaster@chello.at 20030626
source: RIPE
Run:
#last | more
See what the output says. See if anyone has SSH'd into the server besides you.
CustName: Rogers Cable Inc. KTGC
Address: 1 Mount Pleasant Road
City: Toronto
StateProv: ON
PostalCode: M4Y-2Y5
Country: CA
RegDate: 2003-09-24
Updated: 2003-09-24
NetRange: 63.138.219.128 - 63.138.219.255
CIDR: 63.138.219.128/25
NetName: DOC-1-5-0-1-KTGC-3
NetHandle: NET-63-138-219-128-1
Parent: NET-63-138-0-0-1
NetType: Reassigned
Comment:
RegDate: 2003-09-24
Updated: 2003-09-24
OrgAbuseHandle: RHI9-ARIN
OrgAbuseName: Rogers High-Speed Internet
OrgAbusePhone: +1-416-935-4729
OrgAbuseEmail: abuse@rogers.com
OrgTechHandle: RHI9-ARIN
OrgTechName: Rogers High-Speed Internet
OrgTechPhone: +1-416-935-4729
OrgTechEmail: abuse@rogers.com
#last | more
See what the output says. See if anyone has SSH'd into the server besides you.
CustName: Rogers Cable Inc. KTGC
Address: 1 Mount Pleasant Road
City: Toronto
StateProv: ON
PostalCode: M4Y-2Y5
Country: CA
RegDate: 2003-09-24
Updated: 2003-09-24
NetRange: 63.138.219.128 - 63.138.219.255
CIDR: 63.138.219.128/25
NetName: DOC-1-5-0-1-KTGC-3
NetHandle: NET-63-138-219-128-1
Parent: NET-63-138-0-0-1
NetType: Reassigned
Comment:
RegDate: 2003-09-24
Updated: 2003-09-24
OrgAbuseHandle: RHI9-ARIN
OrgAbuseName: Rogers High-Speed Internet
OrgAbusePhone: +1-416-935-4729
OrgAbuseEmail: abuse@rogers.com
OrgTechHandle: RHI9-ARIN
OrgTechName: Rogers High-Speed Internet
OrgTechPhone: +1-416-935-4729
OrgTechEmail: abuse@rogers.com
Nope it looks like just me and SM.
On questions thats off topic, is i got my server setup to email me whenever a user logs in... Sometimes when i log in, while i'm logged in.. i get like 10 emails couple minutes apart from the whole time i'm logged in, all with my ip...Why would i receive multiple emails from one session?.. or is that normal?
P.S.
I appreciate your quick reply
Thanks
On questions thats off topic, is i got my server setup to email me whenever a user logs in... Sometimes when i log in, while i'm logged in.. i get like 10 emails couple minutes apart from the whole time i'm logged in, all with my ip...Why would i receive multiple emails from one session?.. or is that normal?
P.S.
I appreciate your quick reply
Thanks
Just a silly thought, do you have some server monitoring service which monitors your ftp server ? If so, it is possible that they use the login to determine if the ftp server response. Just a thought really.
nope SM is the only service monitoring me 
.. and i already know how their monitoring service looks like in the logs.
But thanks
.. and i already know how their monitoring service looks like in the logs.
But thanks
someone on another board said block the ip..... 
how would i do thaT?
how would i do thaT?
Depends if you have IPtables, APF or SM's firewall setup. You can do a search here to find out the process with each.
Well i have SM's hardware firewall set up.
One thing i was thinking, is how effective would blocking the ip be, considering most ip's are dynamically assigned when a user logs online, which means what most people would have to do is either restart their comp or discconect/reconnect.. to obtain a new ip?
One thing i was thinking, is how effective would blocking the ip be, considering most ip's are dynamically assigned when a user logs online, which means what most people would have to do is either restart their comp or discconect/reconnect.. to obtain a new ip?
I believe if you have the hardware based version, there should be like some kind of web interface for you to ban that IP. Every time I see a weird one (mostly foreign , no offense) like .at, or waterloo, or I forget what the other one is, but they seem to be pretty common, I ban them. I haven't seen them in a good bit, but I just continue to ban them as I see them. Better to be safe than sorry, as I always say.
212.17.64.157 <-- This same jerk off tried several hundred times on my ftp server on the 29th.Im assuming he's scanning the whole block throwing a few hundred passwords at ftp servers hoping to get lucky (making a whole lot of noise).
Here's what someone on cpanel said i should do to make sure root access thorugh ftp is disabled:
Add root to /etc/ftpusers.
Any user listed in this file will not be able to FTP to your server. This is a standard which all FTP servers conform to.
Add root to /etc/ftpusers.
Any user listed in this file will not be able to FTP to your server. This is a standard which all FTP servers conform to.
I don't care if they are scanning all the SM ip's, I block the ip's as I see them try to access my server. Just load them up in the APF deny file.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.