LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Is someone trying to peek in to server ??? (https://www.linuxquestions.org/questions/linux-networking-3/is-someone-trying-to-peek-in-to-server-204880/)

apache 07-14-2004 08:23 AM
Is someone trying to peek in to server ???
 
Hello All,
Today I checked my xferlogs and i found these lines in large number in that.
Wed Jul 14 06:07:18 2004 0 x.x.x.x 45 /home/catchfil/public_html/images/doted1.gif b _ i r catchfil ftp 1 * c
Wed Jul 14 06:07:24 2004 0 x.x.x.x 871 /home/catchfil/public_html/images/text_work.gif b _ i r catchfil ftp 1 * c
Wed Jul 14 06:07:18 2004 0 x.x.x.x 45 /home/catchfil/public_html/images/doted1.gif b _ i r catchfil ftp 1 * c
Wed Jul 14 06:07:24 2004 0 x.x.x.x 871 /home/catchfil/public_html/images/text_work.gif b _ i r catchfil ftp 1 * c

what are these logs sayinf about ftp of that domain?I am also giving my messgaes say :
here i am giving some messgaes i notices:
Jul 3 14:00:36 server named[458]: denied AXFR from [128.232.0.31].44650 for "AUTOSURFERCASH.COM" (not master/slave)
Jul 3 14:00:37 server named[458]: denied AXFR from [128.232.0.31].44655 for "AUTOSURFERCASH.COM" (not master/slave)


others are
Jul 9 00:24:29 server proftpd[495]: server.xxx.com - received SIGHUP -- master server
rehashing configuration file
**********
After that I see
Jul 8 06:41:12 server named[458]: reloading nameserver
Jul 8 06:41:12 server named[458]: Ready to answer queries.
Jul 8 06:41:44 server named[458]: reloading nameserver
Jul 8 06:41:44 server named[458]: Ready to answer queries.
Jul 8 06:48:20 server su: admin to root on /dev/ttyp0
Jul 8 07:05:19 server named[458]: reloading nameserver
Jul 8 07:05:19 server named[458]: Ready to answer queries.
Jul 8 07:06:05 server named[458]: reloading nameserver
Jul 8 07:06:05 server named[458]: master zone "abc.com" (IN) removed
Jul 8 07:06:05 server named[458]: Ready to answer queries.
Jul 8 07:06:05 server proftpd[495]: server.xxx.com - received SIGHUP -- master server
rehashing configuration file

The anonymous ftp is already disabled.I think someone is trying to hack the server.Or what are all these messages.
Please help
thank you.

Donboy 07-14-2004 08:57 AM
Those proftpd logs look to me like somebody uploaded some files. I believe the lowercase i you're seeing on each line stands for "in" which means it was uploaded.

I don't know anything about named.

zaphodiv 07-16-2004 04:44 AM
Jul 3 14:00:36 server named[458]: denied AXFR from [128.232.0.31].44650 for "AUTOSURFERCASH.COM" (not master/slave)

You are running a nameserver that is accepting querys from the internet. If you don't want people to query it then stop running a nameserver or don't leave it accessable from the internet. This may cause whatever domain name it is answering querys for to stop working.

That ip address has the reverse dns name dns-probe.srg.cl.cam.ac.uk. REad the website at that address for more information.


All times are GMT -5. The time now is 06:14 PM.