Reply With QuoteLooks like someone tries to make a connection, but quits before entering a username or password. Seems like a portscanner action of some sort to me. But I'm not sure; is the IP address familliar?
Member
Enybody know what this means... never seen this in my log before.
i dont know the ip in the log, do i need to worry??
From log:
Jun 7 21:22:37 dropbear[139]: Child connection from ::ffff:217.205.228.86:60142
Jun 7 21:22:37 dropbear[139]: exit before auth: Failed to get remote version
Jun 7 21:28:58 dropbear[140]: Child connection from ::ffff:217.205.228.86:60931
Jun 7 21:29:02 dropbear[140]: login attempt for nonexistent user from ::ffff:217.205.228.86:60931
Jun 7 21:29:03 dropbear[140]: exit before auth: Disconnect received
Jun 7 21:29:06 dropbear[141]: Child connection from ::ffff:217.205.228.86:60428
Jun 7 21:29:11 dropbear[141]: login attempt for nonexistent user from ::ffff:217.205.228.86:60428
Jun 7 21:29:12 dropbear[141]: exit before auth: error reading: Connection reset by peer
Jun 7 21:29:17 dropbear[142]: Child connection from ::ffff:217.205.228.86:60292
Jun 7 21:29:22 dropbear[142]: exit before auth: Exited normally
Last edited by guch79; 07-06-2005 at 21:37.
Moderator & Financial forum supporter :)
Looks like someone tries to make a connection, but quits before entering a username or password. Seems like a portscanner action of some sort to me. But I'm not sure; is the IP address familliar?
Member
No newer seen it before... i have tryede to look it up on www.dnstools.com
but it dosen´t excist.
What do u make of the ffff before the ip??
What kinda connection is it, is dropbear FTP??
And why a Child connection??
Originally Posted by Styno
Last edited by guch79; 07-06-2005 at 22:12.
Financial forum supporters :)
You can use this link
http://www.ripe.net/whois?form_type=..._search=Search
to get some more info on the IP, if it's not your own IP you may send a message including your log to the ABUSE address you get in listing from the whois search and ask them if they have any idea what's happening, in this case the address would be "abuse@easynet.net", or use one of the addresses / phonenumbers you get from
http://www.ripe.net/whois?searchtext...rm_type=simple
Last edited by brubber; 08-06-2005 at 05:25.
Brubber
WL-500g, WL-138g, WL-160g
Moderator & Financial forum supporter :)
Nothing, I've got no clue. Perhaps part of an MAC address??
I can't tell judging the loglines, but the kind of connection isn't interesting imho.What kinda connection is it, is dropbear FTP??
Dropbear creates a child process for each incoming connection. Probably this has something to do with that.And why a Child connection??
I might not be a bad idea to move any open port (SSH, HTTP, FTP, etc.) to a port above 5000. Most port scanners do not scan ports above 1024. Since I move all my services to higher ports I've got 0 unwanted incomming connections...
Administrator
this is IPv4 written in IPv6 style stuf, just ignore it
it's for SSH or SCP afaik..
My little Asus Collection: Too much to fit inhere, my 2 babies:WL500w 1.9.2.7-10(OLEG) VX2SE Yellow Lamborghini notebook
WL500g Forum Asus Files OpenDir
Asusforum.NL -- Asusforum.DE -- Asusforum.RU -- Asusforum.PL -- Asusforum.NET -- Asusforum.EU -- Asusforum.BE -- Asusforum.ES -- Asusforum.INFO
Junior Member
I have similar messages. Seem to be hackers trying to access via ssh, anonymous or public ftp. etc.
Keep your passwords safe, and all the usual stuff.
Keep log files (syslog, ftp)
Check your disks contents for unusual stuff, mine was "donated" psyBNC,
some 100 MP3s, and other stuff.
Last edited by frankd; 08-06-2005 at 09:47.
Member
Thanx guys...
It´s nice to know, when somebody is knocking on your door
I send a complaint to the abuse mail, with a copy of my sys log.
Posting Permissions