IPs logged as D.C.B.A and some times A.B.C.D how to find which format is logged
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
IPs logged as D.C.B.A and some times A.B.C.D how to find which format is logged
I see two different type of log messages in my /var/log/auth.log file
one is
Quote:
reverse mapping checking getaddrinfo for dnet-217003.sby.dnet.net.id [115.69.217.3] failed - POSSIBLE BREAK-IN ATTEMPT!
and another is
Quote:
reverse mapping checking getaddrinfo for client-200.121.135.240.speedy.net.pe [240.135.121.200] failed - POSSIBLE BREAK-IN ATTEMPT!
in the second log the IP address from where the connection originated was
240.135.121.200
now the log of type one above is also present and some at some places log of type2.
If you note the IP logged in in both cases the type1 logged as
Quote:
115.69.217.3
and type 2 logged as
Quote:
200.121.135.240.speedy.net.pe
in type 2 the IP actually was 240.135.121.200
which is recorded in reverse fashion.
So like this at many places the order in which it is recorded is reverse.
My problem is looking at the logs how do I find the IP from where connection originated when is it logged as
A.B.C.D
and when it is logged as D.C.B.A
I am not sure from the log of type 1 I quoted above
that the IP I should block should be
115.69.217.3
or
3.217.69.115
I don't see any issue there at all. The "reverse" IP address, "200.121.135.240.speedy.net.pe", is clearly NOT an IP address, but a hostname, which is totally arbitrary based upon the practises of the ISP. The detail in the square brackets is the real IP address, there is no logical conflict here at all, it is NEVER logged as "D.C.B.A"
Last edited by acid_kewpie; 10-27-2010 at 02:11 AM.
I have no idea what you're trying to achieve here. there is no problem to solve.
g 17:51:48 sshd[13917]: Invalid user admin from 220.80.107.196
g 17:51:57 sshd[13942]: Invalid user admin from 220.80.107.196
g 17:52:05 sshd[13965]: Invalid user test from 220.80.107.196
g 17:52:13 sshd[13986]: Invalid user test from 220.80.107.196
g 17:52:20 sshd[14009]: Invalid user user from 220.80.107.196
g 17:52:28 sshd[14029]: Invalid user user from 220.80.107.196
g 17:52:36 sshd[14050]: Invalid user user1 from 220.80.107.196
g 17:52:44 sshd[14071]: Invalid user user1 from 220.80.107.196
g 17:52:52 sshd[14092]: Invalid user user1 from 220.80.107.196
g 17:53:00 sshd[14112]: Invalid user user from 220.80.107.196
g 17:53:07 sshd[14133]: Invalid user user1 from 220.80.107.196
sshd[12626]: Did not receive identification string from 220.80.107.196
In the above log you see the person with above IP was trying different user names and in the last line I read Did not recieve identification string.
So some logs are
Invalid user user1 from 220.80.107.196
while some are
Did not receive identification string from 220.80.107.196
both from same IP.I want to know that looking at the above logs what can I deduce
1) The person was trying different user names on ssh
2) What can I infer from this log
Quote:
Did not receive identification string from 220.80.107.196
The "Did not receive" messages are probably just dumb port scans. An ssh client will, on connection, tell the server what program it is. A port scan won't bother doing this.
Ok you mean to say in the "Did not recieve" line does that mean the attacker did not even tried for password to some fake account getting frustrated over what ever be the password he tried to scan what service is open at that port.
Well that's not been mentioned at all in the original post. If you wish to expand on that with sample logs etc then we may be able to comment.
Hi when I had started this thread I missed those logs (infact I did see them but was unable to locate) today I got the logs which do not have square braces
Code:
Nov 18 17:48:20 somedomain sshd[32092]: Address 123.30.187.11 maps to static.vdc.vn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 18 17:48:22 somedomain sshd[32097]: Address 123.30.187.11 maps to static.vdc.vn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 18 17:48:23 somedomain sshd[32103]: Address 123.30.187.11 maps to static.vdc.vn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 18 17:48:24 somedomain sshd[32107]: Address 123.30.187.11 maps to static.vdc.vn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 18 17:48:25 somedomain sshd[32116]: Address 123.30.187.11 maps to static.vdc.vn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Here it is I am not sure if you are still reading the thread.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.