LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-09-2007, 08:03 AM   #1
keysorsoze
Member
 
Registered: Apr 2004
Location: Queens, NY
Distribution: Red Hat, Solaris
Posts: 295

Rep: Reputation: 30
Hack Attempt?


Hello, the following entries have been showing up in my logwatch reports each morning is this a bad sign to come? Something that we can do to stop or prevent this from happening again. Here is a snippet of the logwatch report.

**Unmatched Entries**
Address 66.9.9.2 maps to www.somedomain.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Address 66.9.9.2 maps to www.somedomain.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
 
Old 05-09-2007, 09:07 AM   #2
coolb
Member
 
Registered: Apr 2006
Location: Cape Town, South Africa
Distribution: Gentoo 2006.1(2.6.17-gentoo-r7)
Posts: 222

Rep: Reputation: 30
the ptr records are wrong(or havent been added) for that address. Get hold of the administrator for that ip space
 
Old 05-09-2007, 09:26 AM   #3
keysorsoze
Member
 
Registered: Apr 2004
Location: Queens, NY
Distribution: Red Hat, Solaris
Posts: 295

Original Poster
Rep: Reputation: 30
Thanks for the reply, I figured this was some sort of attack because we get a lot of these entries in our logwatch reports.
 
Old 05-09-2007, 01:50 PM   #4
coolb
Member
 
Registered: Apr 2006
Location: Cape Town, South Africa
Distribution: Gentoo 2006.1(2.6.17-gentoo-r7)
Posts: 222

Rep: Reputation: 30
probably, that person with that ipv4 address is doing something...
 
Old 05-15-2007, 01:41 AM   #5
rch1231
Member
 
Registered: Mar 2007
Location: Bedford, Texas
Posts: 31

Rep: Reputation: 15
Take a look at /var/log/messages and see how many times they tried and block the IP if necessary. You can find out who owns the IP at dnsstuff.com
 
Old 05-18-2007, 11:08 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
It's also commonly seen with systems behind a NAT firewall, so it doesn't definitively mean something malicious by itself.
 
Old 05-18-2007, 11:32 PM   #7
keysorsoze
Member
 
Registered: Apr 2004
Location: Queens, NY
Distribution: Red Hat, Solaris
Posts: 295

Original Poster
Rep: Reputation: 30
Hi, guys thanks for all the responses I found out that our DNS server did not have a PTR record or reverse back to our domain for one of our DR servers. That was causing this error. I removed the entry and now everything is peechy. Thanks for the help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache logs - Hack attempt or not? lawadm1 Linux - Software 6 11-05-2004 11:53 PM
newbie question: do these logs show a hack attempt lucastic Linux - Security 4 08-13-2003 08:07 AM
hack ? spooge Linux - Security 4 01-21-2003 11:54 AM
not linux related, had a hack attempt neo77777 General 13 03-22-2002 04:57 PM
access.log:Possible Hack attempt? plisken Linux - Security 5 01-04-2002 02:40 PM


All times are GMT -5. The time now is 09:57 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration