boxa
26.07.02, 07:56
Hallo Experten,
heute nacht hat sich jemand an meinem PROFTP Server zu schaffen gemacht. Ich habe in der Logdatei /var/log/messages folgendes gefunden:
Jul 25 22:36:49 datentransfer proftpd[13761]: datentransfer (62.158.229.138[62.158.229.138]) - FTP session opened.
Jul 25 22:37:11 datentransfer proftpd[13762]: datentransfer (62.158.229.138[62.158.229.138]) - FTP session opened.
Jul 25 22:38:02 datentransfer kernel: conntrack_ftp: partial PORT 142547850+1
Jul 25 22:38:02 datentransfer kernel: conntrack_ftp: partial PORT 142547850+2
Jul 25 22:38:03 datentransfer kernel: conntrack_ftp: partial PORT 142547850+5
Jul 25 22:38:05 datentransfer kernel: conntrack_ftp: partial PORT 142547850+11
Weiß jemand was das mit dem conntrack_ftp auf sich hat?? Ich bin wirklich für jeden Hinweis dankbar.
In der Logdatei proftp.paranoid steht folgendes:
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:37:21 +0200] " HELP " 214 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:37:31 +0200] " REIN " 502 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:37:35 +0200] " RMD " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:37:39 +0200] " NOOP " 200 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:37:45 +0200] " XPWD " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:37:49 +0200] " MODE " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:37:54 +0200] " STAT " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:37:59 +0200] " SYST " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:38:08 +0200] " PORT 3456" - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:38:14 +0200] " NLST " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:39:54 +0200] " USER " 500 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:01 +0200] " USER root" 331 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:10 +0200] " PASS (hidden)" 530 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:13 +0200] " HELP " 214 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:17 +0200] " STOR " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:21 +0200] " LIST " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:24 +0200] " MDTM " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:32 +0200] " STOU " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:36 +0200] " NOOP " 200 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:41 +0200] " ABOR " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:45 +0200] " RNTO " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:51 +0200] " STRU " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:54 +0200] " NOOP " 200 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:41:12 +0200] " NOOP " 200 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:41:15 +0200] " NOOP " 200 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:41:17 +0200] " NOOP " 200 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:41:19 +0200] " NOOP " 200 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:41:20 +0200] " NOOP " 200 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:41:23 +0200] " NOOP " 200 -
/var/log/proftpd/proftpd.access_log
FTP [13762] 62.158.229.138 [25/Jul/2002:22:37:31 +0200] "REIN " 502
FTP [13763] 62.158.229.138 [25/Jul/2002:22:39:54 +0200] "USER " 500
FTP [13763] 62.158.229.138 [25/Jul/2002:22:40:01 +0200] "USER root" 331
FTP [13763] 62.158.229.138 [25/Jul/2002:22:40:10 +0200] "PASS (hidden)" 530
Das größte Rätsel ist für mich, der Eintrag mit dem conntrack_ftp
heute nacht hat sich jemand an meinem PROFTP Server zu schaffen gemacht. Ich habe in der Logdatei /var/log/messages folgendes gefunden:
Jul 25 22:36:49 datentransfer proftpd[13761]: datentransfer (62.158.229.138[62.158.229.138]) - FTP session opened.
Jul 25 22:37:11 datentransfer proftpd[13762]: datentransfer (62.158.229.138[62.158.229.138]) - FTP session opened.
Jul 25 22:38:02 datentransfer kernel: conntrack_ftp: partial PORT 142547850+1
Jul 25 22:38:02 datentransfer kernel: conntrack_ftp: partial PORT 142547850+2
Jul 25 22:38:03 datentransfer kernel: conntrack_ftp: partial PORT 142547850+5
Jul 25 22:38:05 datentransfer kernel: conntrack_ftp: partial PORT 142547850+11
Weiß jemand was das mit dem conntrack_ftp auf sich hat?? Ich bin wirklich für jeden Hinweis dankbar.
In der Logdatei proftp.paranoid steht folgendes:
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:37:21 +0200] " HELP " 214 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:37:31 +0200] " REIN " 502 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:37:35 +0200] " RMD " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:37:39 +0200] " NOOP " 200 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:37:45 +0200] " XPWD " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:37:49 +0200] " MODE " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:37:54 +0200] " STAT " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:37:59 +0200] " SYST " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:38:08 +0200] " PORT 3456" - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:38:14 +0200] " NLST " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:39:54 +0200] " USER " 500 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:01 +0200] " USER root" 331 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:10 +0200] " PASS (hidden)" 530 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:13 +0200] " HELP " 214 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:17 +0200] " STOR " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:21 +0200] " LIST " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:24 +0200] " MDTM " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:32 +0200] " STOU " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:36 +0200] " NOOP " 200 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:41 +0200] " ABOR " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:45 +0200] " RNTO " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:51 +0200] " STRU " - -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:40:54 +0200] " NOOP " 200 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:41:12 +0200] " NOOP " 200 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:41:15 +0200] " NOOP " 200 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:41:17 +0200] " NOOP " 200 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:41:19 +0200] " NOOP " 200 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:41:20 +0200] " NOOP " 200 -
62.158.229.138 UNKNOWN nobody [25/Jul/2002:22:41:23 +0200] " NOOP " 200 -
/var/log/proftpd/proftpd.access_log
FTP [13762] 62.158.229.138 [25/Jul/2002:22:37:31 +0200] "REIN " 502
FTP [13763] 62.158.229.138 [25/Jul/2002:22:39:54 +0200] "USER " 500
FTP [13763] 62.158.229.138 [25/Jul/2002:22:40:01 +0200] "USER root" 331
FTP [13763] 62.158.229.138 [25/Jul/2002:22:40:10 +0200] "PASS (hidden)" 530
Das größte Rätsel ist für mich, der Eintrag mit dem conntrack_ftp