[SOLVED] strange proftpd logs

WiseDraco · 04-01-2016, 05:56 AM

Hello!
Look at proftpd logfile yesterday, and see strange thing:

Apr 01 11:47:34 sten proftpd[23235] 192.168.122.14 (80.250.56.157[80.250.56.157]): FTP session opened.
Apr 01 11:47:34 sten proftpd[23235] 192.168.122.14 (80.250.56.157[80.250.56.157]): FTP session closed.

56.157 looks like some attacker real ip. but what is, and from where, 122.14? :-O
my ftp server sit on real ip on one of network cards.
another one - yes - have a 122 network with "c" class mark, but i have at that time no .14 address in this my internal network, and in any way, why it appear in proftpd log? and in conjunction with 80.250.56.157 address ? :-O

WiseDraco · 04-03-2016, 02:57 AM

Hm, really no any have ideas, why proftpd in logs write three ip for one subject, and what it can mean, and why there may appear some strange "grey" ip ? :-O

astrogeek · 04-03-2016, 03:30 AM

Hello WiseDraco!

I looked into this earlier today but did not have any useful conclusions as I have not used proftpd in a very long time, so did not reply.

I found this page which has some info on the log format which may be helpful to you. I could not tell if it includes your specific log format but it does provide the format specifiers. Also here is a description of proftpd logging.

The 56.157 IP appears to be local to you, but I am sure you know that already. The only idea I had for the mystery 122 IP is maybe someone has access to your router and received that address via DHCP (wild guess), or maybe gave themselves the static address.

Do you have a VPN configured on your network, or running virtual machines which might account for the 122 address?

It might be helpful if you could provide a little more information on your interfaces and routing table, not sure I understand that from your description.

mralk3 · 04-03-2016, 06:44 PM

I would suggest that you check back in all of your logs for similar occurrences. With so little information it is difficult to determine the issue. I would do the following:

Update my passwords with new passwords; I like to use this to pick my passwords
Investigate your network design to find any holes in your firewall
Determine if your VPN or Wireless AP are secure still
Look for compromised hosts on your network.
Switch to Sftp or FTPS, since clear text passwords are just asking for trouble
Consider moving the FTP/FTPs/Sftp daemon into a jail
Try running rkhunter or chkrootkit as a quick determination of compromise

BUT, with so little information all of my suggestions are just good security practices for public facing services.

WiseDraco · 04-04-2016, 01:38 AM

Quote:

Originally Posted by astrogeek

Hello WiseDraco!

I looked into this earlier today but did not have any useful conclusions as I have not used proftpd in a very long time, so did not reply.

I found this page which has some info on the log format which may be helpful to you. I could not tell if it includes your specific log format but it does provide the format specifiers. Also here is a description of proftpd logging.

The 56.157 IP appears to be local to you, but I am sure you know that already.

i am totally unsure about this, really - because there is no unternal routings from outer world to specific address in 122 network.

and looks by logs, that 56.157 address do some scanning or trying to some brute force for my services - on 110 port, on ftp there are attempts to connect with username "admin". really, sure, i do not have such account.

if my server have been already compromised, i think, there is no anymore such type of activities

but cant understand, why there appear 122.14 adress in logs.

i have wifi dhcp in that network, but its wpa2 with good password. try to monitor a bit wifi connections, but i am pretty sure, there are no "redunant" connections on my wifi router... try today dig bit more in logs today...

Quote:

The only idea I had for the mystery 122 IP is maybe someone has access to your router and received that address via DHCP (wild guess), or maybe gave themselves the static address.

Do you have a VPN configured on your network, or running virtual machines which might account for the 122 address?

It might be helpful if you could provide a little more information on your interfaces and routing table, not sure I understand that from your description.

no vpn, no virtual machines.

i send you my routing scheme in mail

2mralk3: thank you too for info and suggestions, but i very unsure about i have breaked up. try investigate bit more, albeit i not like very much spend time in that way...

WiseDraco · 04-04-2016, 02:05 AM

ok, dig a bit around - found in a /var/log/secure file entries appear as they should be -

Mar 27 08:20:19 sten proftpd[5517]: connect from 80.250.56.157 (80.250.56.157)
Mar 27 08:20:49 sten proftpd[5521]: connect from 80.250.56.157 (80.250.56.157)

look again in proftpd logfile - there almost all connections, actually,
be preceed with 122.14 address.

found it in /etc/hosts . can't remember, why i was writed there, and when

127.0.0.1 localhost
192.168.122.14 sten.domain sten
127.0.0.1 myrealpurchaseddomain.su

an opportunistic, want to ask there - what is best practice to write there?
there is any demand really for write my linked for this server domainnames?
if yes - it is better to write with internal ip-s, or with external one for that server? ( this server have one real ip, for outer world, ans some internal, for internal NICs directed to my local, internal networks)

there, on that server, i have running bind with authoritative zones too, if it is important.