Security Incidents mailing list archives

Re: Connection Attempts

From: Kevin.Reardon () oracle com
Date: Tue, 15 Jan 2002 09:53:22 -0800

I think you should treat this like the other attempts you are getting.  You can
also try to call them up and ask them what is going on.  I'm sure that if they
have a rouge in their midst, they would like to know and stop who ever it is.


---K

Jeremy Hoover wrote:

Today I was going through my server logs.  And I came across this.

Jan 14 11:46:51 penguin ftp(pam_unix)[7256]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=63.240. xxx.xxx
Jan 14 11:46:53 penguin ftpd: 63.240.xxx.xxx: connected: IDLE
$
Jan 14 11:47:06 penguin ftp(pam_unix)[7256]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=63.240.xxx.xxx  user=xxxxxx
Jan 14 11:47:09 penguin ftpd: 63.240.xxx.xxx: connected: IDLE
$
Jan 14 11:47:22 penguin ftp(pam_unix)[7256]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=63.240.xxx.xxx  user=xxxxxx
Jan 14 11:47:24 penguin ftpd: 63.240.xxx.xxx: connected: IDLE
$
Jan 14 11:47:35 penguin ftp(pam_unix)[7256]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=63.240.xxx.xxx  user=xxxxxx
Jan 14 11:47:37 penguin ftpd: 63.240.xxx.xxx: connected: IDLE
$
Jan 14 11:47:47 penguin ftpd: 63.240.xxx.xxx: connected: IDLE
$
Jan 14 11:47:47 penguin ftp(pam_unix)[7256]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=63.240.xxx.xxx  user=root
Jan 14 11:47:49 penguin ftpd: 63.240.xxx.xxx: connected: IDLE
$
Jan 14 11:47:49 penguin ftpd: 63.240.xxx.xxx: connected: IDLE

Normally this wouldn't be a problem, get tons of them everyday except this
attempt is coming from one of our Competing Corporations.
On Dec. 26th, I found a syn flood coming from the same ip.   What actions
should I take?  What kind of legal matters are involved in
this.  As I dig deeper, I keep finding connection attempts.  There is NO
reason for them to be trying to access our servers.

Thanks for any help.
Jeremy Hoover

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Attachment: Kevin.Reardon.vcf
Description: Card for

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Connection Attempts Jeremy Hoover (Jan 14)
- Re: Connection Attempts Anders Thulin (Jan 15)
- Re: Connection Attempts Andrew Simmons (Jan 15)
- Re: Connection Attempts Kevin . Reardon (Jan 15)