LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-05-2005, 06:20 PM   #1
ru916b
LQ Newbie
 
Registered: Dec 2004
Posts: 2

Rep: Reputation: 0
how to read log watch


Hi,

Recently lots of websites running phpbb got hacked. My dedicated server was attacked too.

While I am still searching around for the impact, I am now reading the daily email for logwatch more closely.

I saw following suspicious ftp connections in logwatch. Could someone give me any porinter on what they mean ?

Thank you very much in advance.


(I don't know the IP of 172.179.179.180 , 82.212.146.230 and sure dont allow it for ftp, but it looks it successfully connected. Actually I have stopped all my ftp service.

But it looks some ftp services will be started by inet.d on demand when there is client. How to track this down? e.g which account did he use to connect ?

Here is part of my daily logwatch email excerpt.


--------------------- proftpd-messages Begin ------------------------


**Unmatched Entries**
www.mydomain.com (82-212-146-230.teledisnet.be[82.212.146.230]) - no such user
'anonymous@ftp.microsoft.com'

www.mydomain.com (82-212-146-230.teledisnet.be[82.212.146.230]) - FTP no transfer timeout, disconnected

---------------------- proftpd-messages End -------------------------




--------------------- Connections (secure-log) Begin ------------------------


Connections:
Service ftp:
172.179.179.180: 17 Time(s)

**Unmatched Entries**
xinetd[3276]: START: sgi_fam pid=29861 from=<no address>
xinetd[3276]: START: sgi_fam pid=29866 from=<no address>
xinetd[3276]: START: sgi_fam pid=29871 from=<no address>
xinetd[3276]: START: sgi_fam pid=29900 from=<no address>
xinetd[3276]: START: sgi_fam pid=29922 from=<no address>

---------------------- Connections (secure-log) End -------------------------

Last edited by ru916b; 01-05-2005 at 06:28 PM.
 
Old 01-05-2005, 10:55 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
The sgi_fam/xinetd entries are probably unrelated to the ftp log entries. This entry looks like someone attempting an anonymous login (anonymous logins usually require you to enter an email address) which failed:
Code:
www.mydomain.com (82-212-146-230.teledisnet.be[82.212.146.230]) - no such user
'anonymous@ftp.microsoft.com'
How do you have your ftp configured (Does it allow anonymous access or does it require authentication)? What do you see in /var/log/xferlog ? Any abnormal log messages in the system logs?

To see what network services are running use: netstat -pantu
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux Watch vs BSD Watch blueCow *BSD 4 08-16-2009 05:35 PM
using watch to make a log? slinky2004 Linux - General 2 11-22-2005 12:37 PM
Does cron have a log I can read? ivj Linux - Software 2 08-18-2005 06:23 PM
read system log online Agent007 Programming 3 01-10-2004 08:59 AM
Strange Log Watch entry magyartoth Linux - General 4 06-07-2002 10:46 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration