Re: Report on last cmd

[ben <benfoley@rcn.com>]

On Friday 04 October 2002 04:03 am, Glen Tapley wrote:
> Hello
>
> I have been having a lot of trouble with my sendmail setup, someone is
> using my system. I have found that when I run the last cmd, I find a lot of
> strange entries such as
>
> ftp      ftp          p50852BD8.dip.t- Sun Oct  6 03:57 - 03:57  (00:00)
> ftp      ftp          p508ECDDA.dip.t- Sun Oct  6 03:37 - 03:37  (00:00)
> ftp      ftp          212.171.38.1     Sat Oct  5 23:16 - 23:16  (00:00)
> ftp      ftp          210.23.10.25     Sat Oct  5 18:40 - 18:40  (00:00)
>
> Can anyone tell me what these are, are they the result of programs
> accessing my TCP/IP addresses?
>

the first ip address seems to be relaying across interbusiness.it, and the 
second may well be an unallocated ip address belong to super.net.sg

unless you can think of a good reason why anyone should think they have a 
legitimate reason to connect to you in that manner, you might want to get in 
touch with both of those to let them know what's going on--especially 
super.net, since they run one of the main gateways in singapore and will 
surely want to know about anyone spoofing their ip's.

i just tried an ftp connection to you and an anonymous login was rejected, so 
it's unlikely that anybody has done any harm there.

the incidents in your sendmail logs are probably part of a port scan. you 
should make sure that the rest of your system is solid.

ben