Strange connection attempts in log
9 views
Skip to first unread message
Message has been deleted
Groove_121
Sep 24, 2010, 3:36:13 PM9/24/10
to RhinoSoft.com User Group
I am getting the following connection attempts every 30 seconds
showing up in the log:
.
.
.
[02] Fri 24Sep10 00:03:44 - (011745) Connected to 192.168.0.100
(local
address 192.168.0.100, port 22)
[03] Fri 24Sep10 00:03:44 - (011745) IP-Name: alba (192.168.0.100)
[02] Fri 24Sep10 00:03:44 - (011745) Closed session
[02] Fri 24Sep10 00:04:14 - (011746) Connected to 192.168.0.100
(local
address 192.168.0.100, port 22)
[03] Fri 24Sep10 00:04:14 - (011746) IP-Name: alba (192.168.0.100)
[02] Fri 24Sep10 00:04:14 - (011746) Closed session
[02] Fri 24Sep10 00:04:44 - (011747) Connected to 192.168.0.100
(local
address 192.168.0.100, port 22)
[03] Fri 24Sep10 00:04:44 - (011747) IP-Name: alba (192.168.0.100)
[02] Fri 24Sep10 00:04:44 - (011747) Closed session
.
.
.
This is the IP of the host.
What is causing this?
showing up in the log:
.
.
.
[02] Fri 24Sep10 00:03:44 - (011745) Connected to 192.168.0.100
(local
address 192.168.0.100, port 22)
[03] Fri 24Sep10 00:03:44 - (011745) IP-Name: alba (192.168.0.100)
[02] Fri 24Sep10 00:03:44 - (011745) Closed session
[02] Fri 24Sep10 00:04:14 - (011746) Connected to 192.168.0.100
(local
address 192.168.0.100, port 22)
[03] Fri 24Sep10 00:04:14 - (011746) IP-Name: alba (192.168.0.100)
[02] Fri 24Sep10 00:04:14 - (011746) Closed session
[02] Fri 24Sep10 00:04:44 - (011747) Connected to 192.168.0.100
(local
address 192.168.0.100, port 22)
[03] Fri 24Sep10 00:04:44 - (011747) IP-Name: alba (192.168.0.100)
[02] Fri 24Sep10 00:04:44 - (011747) Closed session
.
.
.
This is the IP of the host.
What is causing this?
FTPServerTools
Sep 25, 2010, 4:14:26 PM9/25/10
to RhinoSoft.com User Group
It sounds like a trojan or something I dont know.
I advise you to download the sysinternals tools and run procexp
(presss explorer) to see what is happening. Also you can take a look
at tcpview.exe to see which program uses which ports.
If you can not find it then start procmon.exe it delivers a huge
amount of data, it does say when ports are being opened and by what.
If that doesnt work then grab smartsniff and see which programs tries
it.
Which serv-u version ar you running?
I advise you to download the sysinternals tools and run procexp
(presss explorer) to see what is happening. Also you can take a look
at tcpview.exe to see which program uses which ports.
If you can not find it then start procmon.exe it delivers a huge
amount of data, it does say when ports are being opened and by what.
If that doesnt work then grab smartsniff and see which programs tries
it.
Which serv-u version ar you running?
Groove_121
Sep 28, 2010, 7:37:24 PM9/28/10
to RhinoSoft.com User Group
I've tried those tools and couldn't find anything. I also tried
nircom's Smartsniff and that didn't show any activity on port 22 when
I monitored for a few minutes. It does show activity on port 22 when
I log on though using SSH.
The log shows an external IP when an external IP tries to connect, but
this 30 second connection attempt doesn't show an external IP, it
shows the internal IP of the host itself. Also when I changed the IP
blocking protection for multi login attempts from 4 connection
attempts per 30 seconds to 4 connection attempts per 60 seconds the
above log remained unchanged - a connection every 30 seconds. The
only way to stop it seems to stop listening on port 22, but I don't
want to do that.
Also it is not clear why serv-u immediately disconnects when that
every 30 second connection occurs. That's why I figured maybe it's
something else going on.
I am running serv-u 10.2.
Groove_121
Oct 2, 2010, 4:09:18 PM10/2/10
to RhinoSoft.com User Group
I figured it out. I have Mikrotik's The Dude installed on the same
server. It polls the SSH server every 30 seconds, and this shows up
in Serv-U's log as a connection from the host.
I have filtered out connections from the host in the log and that has
resolved the problem (in a hacked sort of roundabout way).
Reply all
Reply to author
Forward
0 new messages