Hack Attempt?
Hello, the following entries have been showing up in my logwatch reports each morning is this a bad sign to come? Something that we can do to stop or prevent this from happening again. Here is a snippet of the logwatch report.
**Unmatched Entries** Address 66.9.9.2 maps to www.somedomain.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Address 66.9.9.2 maps to www.somedomain.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! |
the ptr records are wrong(or havent been added) for that address. Get hold of the administrator for that ip space
|
Thanks for the reply, I figured this was some sort of attack because we get a lot of these entries in our logwatch reports.
|
probably, that person with that ipv4 address is doing something... :)
|
Take a look at /var/log/messages and see how many times they tried and block the IP if necessary. You can find out who owns the IP at dnsstuff.com
|
It's also commonly seen with systems behind a NAT firewall, so it doesn't definitively mean something malicious by itself.
|
Hi, guys thanks for all the responses I found out that our DNS server did not have a PTR record or reverse back to our domain for one of our DR servers. That was causing this error. I removed the entry and now everything is peechy. Thanks for the help.
|
All times are GMT -5. The time now is 12:52 AM. |