LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Hack Attempt? (https://www.linuxquestions.org/questions/linux-security-4/hack-attempt-552575/)

keysorsoze 05-09-2007 08:03 AM

Hack Attempt?
 
Hello, the following entries have been showing up in my logwatch reports each morning is this a bad sign to come? Something that we can do to stop or prevent this from happening again. Here is a snippet of the logwatch report.

**Unmatched Entries**
Address 66.9.9.2 maps to www.somedomain.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Address 66.9.9.2 maps to www.somedomain.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

coolb 05-09-2007 09:07 AM

the ptr records are wrong(or havent been added) for that address. Get hold of the administrator for that ip space

keysorsoze 05-09-2007 09:26 AM

Thanks for the reply, I figured this was some sort of attack because we get a lot of these entries in our logwatch reports.

coolb 05-09-2007 01:50 PM

probably, that person with that ipv4 address is doing something... :)

rch1231 05-15-2007 01:41 AM

Take a look at /var/log/messages and see how many times they tried and block the IP if necessary. You can find out who owns the IP at dnsstuff.com

Capt_Caveman 05-18-2007 11:08 PM

It's also commonly seen with systems behind a NAT firewall, so it doesn't definitively mean something malicious by itself.

keysorsoze 05-18-2007 11:32 PM

Hi, guys thanks for all the responses I found out that our DNS server did not have a PTR record or reverse back to our domain for one of our DR servers. That was causing this error. I removed the entry and now everything is peechy. Thanks for the help.


All times are GMT -5. The time now is 12:52 AM.