> > I'm getting the following entries in my /var/log/secure log file:
> > Jan 3 04:43:02 linux xinetd[2218]: FAIL: ftp libwrap from=213.1.127.26
> > Jan 4 03:06:07 linux xinetd[2218]: FAIL: ftp libwrap from=24.160.136.69
> > Jan 4 03:06:10 linux xinetd[19213]: USERID: ftp OTHER :root
> > Jan 4 03:06:43 linux xinetd[2218]: FAIL: ftp libwrap from=24.160.136.69
> > Jan 4 03:06:43 linux xinetd[19214]: USERID: ftp OTHER :root
> > Jan 5 05:13:21 linux xinetd[2218]: FAIL: ftp libwrap from=207.105.159.130
> These IP addresses tried to ftp to your machine. In some cases the user was
> root. In others either you left the user off or it was not available. These
> entries should be forwarded to the network responsible for the machines making
> the connects, with a polite not asking that their abuse teams look them over.
> > What do they mean and do I need to be worried about them? I'm a bit
> > concerned about the fact that the contain the word "root" in them, which
> > naturally I don't want root connecting to my machine from anywhere!
> Nothing here to worry about, can't read all the logs though.
> Make the complaint(s).
> -m-
I would also like to add that the times of the failed connections are
highly suspect. Sean, is your system clock accurate (and indicating
local time)? Failed connections in the wee hours are common indicators
of bad intentions. Most of the scans/failed connections that I get occur
in the early morning. Crackers don't like to have people logged on and
active when they try to get in.
Clyde
by