Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-09-2007, 09:03 AM
|
#1
|
Member
Registered: Apr 2004
Location: Queens, NY
Distribution: Red Hat, Solaris
Posts: 295
Rep:
|
Hack Attempt?
Hello, the following entries have been showing up in my logwatch reports each morning is this a bad sign to come? Something that we can do to stop or prevent this from happening again. Here is a snippet of the logwatch report.
**Unmatched Entries**
Address 66.9.9.2 maps to www.somedomain.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Address 66.9.9.2 maps to www.somedomain.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
|
|
|
05-09-2007, 10:07 AM
|
#2
|
Member
Registered: Apr 2006
Location: Cape Town, South Africa
Distribution: Gentoo 2006.1(2.6.17-gentoo-r7)
Posts: 222
Rep:
|
the ptr records are wrong(or havent been added) for that address. Get hold of the administrator for that ip space
|
|
|
05-09-2007, 10:26 AM
|
#3
|
Member
Registered: Apr 2004
Location: Queens, NY
Distribution: Red Hat, Solaris
Posts: 295
Original Poster
Rep:
|
Thanks for the reply, I figured this was some sort of attack because we get a lot of these entries in our logwatch reports.
|
|
|
05-09-2007, 02:50 PM
|
#4
|
Member
Registered: Apr 2006
Location: Cape Town, South Africa
Distribution: Gentoo 2006.1(2.6.17-gentoo-r7)
Posts: 222
Rep:
|
probably, that person with that ipv4 address is doing something...
|
|
|
05-15-2007, 02:41 AM
|
#5
|
Member
Registered: Mar 2007
Location: Bedford, Texas
Posts: 31
Rep:
|
Take a look at /var/log/messages and see how many times they tried and block the IP if necessary. You can find out who owns the IP at dnsstuff.com
|
|
|
05-19-2007, 12:08 AM
|
#6
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
It's also commonly seen with systems behind a NAT firewall, so it doesn't definitively mean something malicious by itself.
|
|
|
05-19-2007, 12:32 AM
|
#7
|
Member
Registered: Apr 2004
Location: Queens, NY
Distribution: Red Hat, Solaris
Posts: 295
Original Poster
Rep:
|
Hi, guys thanks for all the responses I found out that our DNS server did not have a PTR record or reverse back to our domain for one of our DR servers. That was causing this error. I removed the entry and now everything is peechy. Thanks for the help.
|
|
|
All times are GMT -5. The time now is 06:27 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|