Looks like someone tries to make a connection, but quits before entering a username or password. Seems like a portscanner action of some sort to me. But I'm not sure; is the IP address familliar?
Enybody know what this means... never seen this in my log before.
i dont know the ip in the log, do i need to worry??
From log:
Jun 7 21:22:37 dropbear[139]: Child connection from ::ffff:217.205.228.86:60142
Jun 7 21:22:37 dropbear[139]: exit before auth: Failed to get remote version
Jun 7 21:28:58 dropbear[140]: Child connection from ::ffff:217.205.228.86:60931
Jun 7 21:29:02 dropbear[140]: login attempt for nonexistent user from ::ffff:217.205.228.86:60931
Jun 7 21:29:03 dropbear[140]: exit before auth: Disconnect received
Jun 7 21:29:06 dropbear[141]: Child connection from ::ffff:217.205.228.86:60428
Jun 7 21:29:11 dropbear[141]: login attempt for nonexistent user from ::ffff:217.205.228.86:60428
Jun 7 21:29:12 dropbear[141]: exit before auth: error reading: Connection reset by peer
Jun 7 21:29:17 dropbear[142]: Child connection from ::ffff:217.205.228.86:60292
Jun 7 21:29:22 dropbear[142]: exit before auth: Exited normally
Last edited by guch79; 07-06-2005 at 21:37.
Looks like someone tries to make a connection, but quits before entering a username or password. Seems like a portscanner action of some sort to me. But I'm not sure; is the IP address familliar?
No newer seen it before... i have tryede to look it up on www.dnstools.com
but it dosen´t excist.
What do u make of the ffff before the ip??
What kinda connection is it, is dropbear FTP??
And why a Child connection??
Originally Posted by Styno
Last edited by guch79; 07-06-2005 at 22:12.
You can use this link
http://www.ripe.net/whois?form_type=..._search=Search
to get some more info on the IP, if it's not your own IP you may send a message including your log to the ABUSE address you get in listing from the whois search and ask them if they have any idea what's happening, in this case the address would be "abuse@easynet.net", or use one of the addresses / phonenumbers you get from
http://www.ripe.net/whois?searchtext...rm_type=simple
Last edited by brubber; 08-06-2005 at 05:25.
Brubber
WL-500g, WL-138g, WL-160g
Nothing, I've got no clue. Perhaps part of an MAC address??Originally Posted by guch79
I can't tell judging the loglines, but the kind of connection isn't interesting imho.What kinda connection is it, is dropbear FTP??
Dropbear creates a child process for each incoming connection. Probably this has something to do with that.And why a Child connection??
I might not be a bad idea to move any open port (SSH, HTTP, FTP, etc.) to a port above 5000. Most port scanners do not scan ports above 1024. Since I move all my services to higher ports I've got 0 unwanted incomming connections...
this is IPv4 written in IPv6 style stuf, just ignore itOriginally Posted by guch79
it's for SSH or SCP afaik..Originally Posted by guch79
My little Asus Collection: Too much to fit inhere, my 2 babies:WL500w 1.9.2.7-10(OLEG) VX2SE Yellow Lamborghini notebook
WL500g Forum Asus Files OpenDir
Asusforum.NL -- Asusforum.DE -- Asusforum.RU -- Asusforum.PL -- Asusforum.NET -- Asusforum.EU -- Asusforum.BE -- Asusforum.ES -- Asusforum.INFO
I have similar messages. Seem to be hackers trying to access via ssh, anonymous or public ftp. etc.
Keep your passwords safe, and all the usual stuff.
Keep log files (syslog, ftp)
Check your disks contents for unusual stuff, mine was "donated" psyBNC,
some 100 MP3s, and other stuff.
Last edited by frankd; 08-06-2005 at 09:47.
Thanx guys...
It´s nice to know, when somebody is knocking on your door
I send a complaint to the abuse mail, with a copy of my sys log.