Logwatch error or possible crack attempt?

James Wilkinson james at westexe.demon.co.uk
Sun Sep 26 08:13:04 UTC 2004 

Lorn Miller wrote:
> Logwatch for Sep 22
> <cut>
> 
> vsftpd:
>    Unknown Entries:
>       authentication failure; logname= uid=0 euid=0 tty= ruser=
> rhost=80.141.233.183 : 16 Time(s)
>       check pass; user unknown: 16 Time(s)
> <cut>
> Is there a local process that would do that or did someone try to get
> into my ftp server 16 times?

Patrick Boutilier wrote:
> Somebody from 80.141.233.183 .

[james at howells james]$ whois 80.14.123.183
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Whois secondary server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
 
inetnum:      80.14.123.0 - 80.14.123.255
netname:      IP2000-ADSL-BAS
descr:        BSNAN106 Nantes Bloc1
country:      FR
admin-c:      WITR1-RIPE
tech-c:       WITR1-RIPE
status:       ASSIGNED PA
remarks:      for hacking, spamming or security problems send mail to
remarks:      postmaster at wanadoo.fr AND abuse at wanadoo.fr
mnt-by:       FT-BRX
changed:      gestionip.ft at francetelecom.com 20020311
changed:      gestionip.ft at francetelecom.com 20020708
changed:      gestionip.ft at francetelecom.com 20030318
source:       RIPE

I've snipped the rest: this is the important bit.

Or:

[james at howells james]$ dig -x 80.14.123.183
 
; <<>> DiG 9.2.3 <<>> -x 80.14.123.183
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30337
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
 
;; QUESTION SECTION:
;183.123.14.80.in-addr.arpa.    IN      PTR
 
;; ANSWER SECTION:
183.123.14.80.in-addr.arpa. 172741 IN   PTR     ANantes-106-1-10-183.w80-14.abo.wanadoo.fr.
 
;; Query time: 33 msec
;; SERVER: 192.168.0.254#53(192.168.0.254)
;; WHEN: Sun Sep 26 09:10:20 2004
;; MSG SIZE  rcvd: 100

Either way, it's someone using ADSL from the Nantes area of France.

If that's all you see, I'd let it be. If you have reason to believe that
they're being determined or a pain in the neck, you *could* try sending
all relevant logs to the abuse address mentioned.

Or just permanently firewall them.

James.
-- 
E-mail address: james | So what would happen if an Enterprise security team,
@westexe.demon.co.uk  | who always get killed soon after appearing, fought a
                      | squad of Imperial Stormtroopers, who can't hit the
                      | broad side of a planet?

More information about the fedora-list mailing list