Thread: Website users?
View Single Post
  #8  
Old 19th December 2005, 17:14
ctroyp ctroyp is offline
Senior Member
 
Join Date: Sep 2005
Posts: 292
Thanks: 3
Thanked 2 Times in 1 Post
Default

Quote:
Originally Posted by falko
Which FTP server do you use? Proftpd or Vsftpd?
Is there anything in the logs?
Proftpd (Debian 3.1 Perfect Setup).

I found this in /var/log/daemon.log:

The first session [416] is from a non-admin user logging in to web-ftp successfully.

The second ftp session [449] is from my admin user logging in to web-ftp unsuccessfully. This is when it ends my ISPConfig session.

The third ftp session is from an unknown source. Someone trying to get in I guess. Starting with the [449] there were a total of 150+ attempts. Is this common?

Code:
Dec 19 09:30:18 server1 proftpd[416]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 09:30:18 server1 proftpd[416]: server1.strec.com (localhost.localdomain[127.0.0.1]) - mod_delay/0.4: delaying for 8 usecs 
Dec 19 09:30:18 server1 proftpd[416]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 09:30:29 server1 proftpd[449]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 09:30:29 server1 proftpd[449]: server1.strec.com (localhost.localdomain[127.0.0.1]) - mod_delay/0.4: delaying for 1 usecs 
Dec 19 09:30:29 server1 proftpd[449]: server1.strec.com (localhost.localdomain[127.0.0.1]) - mod_delay/0.4: delaying for 108 usecs 
Dec 19 09:30:57 server1 proftpd[449]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 09:43:43 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - FTP session opened. 
Dec 19 09:43:43 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - mod_delay/0.4: delaying for 78 usecs 
Dec 19 09:43:43 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - no such user 'Administrator' 
Dec 19 09:43:43 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - mod_delay/0.4: delaying for 5359 usecs 
Dec 19 09:43:43 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - mod_delay/0.4: delaying for 173 usecs 
Dec 19 09:43:44 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - no such user 'Administrator' 
Dec 19 09:43:44 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - mod_delay/0.4: delaying for 5569 usecs 
Dec 19 09:43:44 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - mod_delay/0.4: delaying for 171 usecs 
Dec 19 09:43:44 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - no such user 'Administrator' 
Dec 19 09:43:44 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - FTP session closed. 

and on and on...
Also there are many entries where a session opens and closes (about every 30 minutes). Is this correct?
Code:
Dec 19 02:00:01 server1 proftpd[26864]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 02:00:01 server1 proftpd[26864]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 02:30:01 server1 proftpd[27254]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 02:30:01 server1 proftpd[27254]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 03:00:02 server1 proftpd[27650]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 03:00:02 server1 proftpd[27650]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 03:30:01 server1 proftpd[28036]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 03:30:01 server1 proftpd[28036]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 04:00:01 server1 proftpd[28419]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 04:00:02 server1 proftpd[28419]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 04:30:01 server1 proftpd[28875]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 04:30:01 server1 proftpd[28875]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 05:00:01 server1 proftpd[29253]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 05:00:01 server1 proftpd[29253]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 05:30:01 server1 proftpd[29632]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 05:30:01 server1 proftpd[29632]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 06:00:01 server1 proftpd[30009]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 06:00:01 server1 proftpd[30009]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 06:30:02 server1 proftpd[30512]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 06:30:02 server1 proftpd[30512]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 06:53:24 server1 proftpd[30805]: server1.strec.com (gate.frodos.fi[192.89.219.100]) - FTP session opened. 
Dec 19 06:53:24 server1 proftpd[30805]: server1.strec.com (gate.frodos.fi[192.89.219.100]) - FTP session closed. 
Dec 19 07:00:01 server1 proftpd[30891]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 07:00:01 server1 proftpd[30891]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 07:30:01 server1 proftpd[31270]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 07:30:01 server1 proftpd[31270]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 08:00:01 server1 proftpd[31647]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 08:00:01 server1 proftpd[31647]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 08:21:47 server1 proftpd[31927]: server1.strec.com (ACB1F122.ipt.aol.com[172.177.241.34]) - FTP session opened. 
Dec 19 08:21:48 server1 proftpd[31927]: server1.strec.com (ACB1F122.ipt.aol.com[172.177.241.34]) - mod_delay/0.4: delaying for 85 usecs 
Dec 19 08:21:48 server1 proftpd[31927]: server1.strec.com (ACB1F122.ipt.aol.com[172.177.241.34]) - no such user 'anonymous' 
Dec 19 08:21:48 server1 proftpd[31927]: server1.strec.com (ACB1F122.ipt.aol.com[172.177.241.34]) - mod_delay/0.4: delaying for 6252 usecs 
Dec 19 08:21:48 server1 proftpd[31927]: server1.strec.com (ACB1F122.ipt.aol.com[172.177.241.34]) - FTP session closed. 
Dec 19 08:30:01 server1 proftpd[32033]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 08:30:01 server1 proftpd[32033]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 09:00:01 server1 proftpd[32417]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 09:00:01 server1 proftpd[32417]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed.
Furthermore, here are the corresponding entries from the auth.log for the two login attempts from web-ftp. It looks like the admin account does login successfully, but gets booted shortly after:
Code:
Dec 19 09:30:18 server1 proftpd: (pam_unix) session opened for user web2_ctp by (uid=0)
Dec 19 09:30:18 server1 proftpd[416]: server1.strec.com (localhost.localdomain[127.0.0.1]) - USER web2_ctp: Login successful. 
Dec 19 09:30:18 server1 proftpd: (pam_unix) session closed for user web2_ctp
Dec 19 09:30:29 server1 proftpd: (pam_unix) session opened for user web2_admin by (uid=0)
Dec 19 09:30:29 server1 proftpd[449]: server1.strec.com (localhost.localdomain[127.0.0.1]) - USER web2_admin: Login successful. 
Dec 19 09:30:57 server1 proftpd: (pam_unix) session closed for user web2_admin
Dec 19 09:39:01 server1 CRON[577]: (pam_unix) session opened for user root by (uid=0)
Dec 19 09:39:01 server1 CRON[577]: (pam_unix) session closed for user root
I also found something interesting. Due to the fact that I kept getting hit with from the unknown user, I decided to stop the proftpd service. I did so and confirmed that the user attemts ceased. I then started up the service and got this error:
Code:
server1:~# /etc/init.d/proftpd start
Starting ProFTPD ftp daemon:  - warning: "ProFTPD" address/port (192.168.2.50:21) already in use by "Debian"
proftpd.

Last edited by ctroyp; 19th December 2005 at 17:31.
Reply With Quote