i'm getting this every 15 minutes in my logs. anyone have any ideas? there's nothing under cron.quarterly...i'm stuck...

Oct 20 02:30:01 ns1 proftpd[4076]: ns1.mydomain.com (localhost[127.0.0.1]) - FTP session opened.
Oct 20 02:30:01 ns1 proftpd[4076]: ns1.mydomain.com (localhost[127.0.0.1]) - FTP session closed.
Oct 20 02:45:01 ns1 proftpd[4660]: ns1.mydomain.com (localhost[127.0.0.1]) - FTP session opened.
Oct 20 02:45:01 ns1 proftpd[4660]: ns1.mydomain.com (localhost[127.0.0.1]) - FTP session closed.
Oct 20 03:00:00 ns1 proftpd[5236]: ns1.mydomain.com (localhost[127.0.0.1]) - FTP session opened.
Oct 20 03:00:00 ns1 proftpd[5236]: ns1.mydomain.com (localhost[127.0.0.1]) - FTP session closed.
Oct 20 03:15:00 ns1 proftpd[5830]: ns1.mydomain.com (localhost[127.0.0.1]) - FTP session opened.
Oct 20 03:15:00 ns1 proftpd[5830]: ns1.mydomain.com (localhost[127.0.0.1]) - FTP session closed.


and that's it.

weird weird weird weird. i apologize if it's been discussed elsewhere, i couldn't really find anything here....or maybe i didn't look hard enough..



oh yeah, i'm getting this alot to. what is this about. i run my own DNS if that helps..

Oct 20 04:02:30 ns1 named[388]: Lame server on '50.193.40.216.in-addr.arpa' (in '193.40.216.in-addr.arpa'?): [216.88.77.7].53 'NS2.EV1.NET'
Oct 20 04:02:30 ns1 named[388]: Lame server on '50.193.40.216.in-addr.arpa' (in '193.40.216.in-addr.arpa'?): [216.88.76.6].53 'NS1.EV1.NET'

why would anything involving ev1(rackshack?) be heading my way? my raq isn't involved in anyway with ev1 or rackshack...at least, not that i know of..

thanks for your help in advance..

Originally posted by skylab
i'm getting this every 15 minutes in my logs. anyone have any ideas? there's nothing under cron.quarterly...i'm stuck...

Oct 20 02:30:01 ns1 proftpd[4076]: ns1.mydomain.com (localhost[127.0.0.1]) - FTP session opened.
Oct 20 02:30:01 ns1 proftpd[4076]: ns1.mydomain.com (localhost[127.0.0.1]) - FTP session closed.
Oct 20 02:45:01 ns1 proftpd[4660]: ns1.mydomain.com (localhost[127.0.0.1]) - FTP session opened.
Oct 20 02:45:01 ns1 proftpd[4660]: ns1.mydomain.com (localhost[127.0.0.1]) - FTP session closed.
Oct 20 03:00:00 ns1 proftpd[5236]: ns1.mydomain.com (localhost[127.0.0.1]) - FTP session opened.
Oct 20 03:00:00 ns1 proftpd[5236]: ns1.mydomain.com (localhost[127.0.0.1]) - FTP session closed.
Oct 20 03:15:00 ns1 proftpd[5830]: ns1.mydomain.com (localhost[127.0.0.1]) - FTP session opened.
Oct 20 03:15:00 ns1 proftpd[5830]: ns1.mydomain.com (localhost[127.0.0.1]) - FTP session closed.


This is just a monitor checking to see if the FTP server is up (every 15 minutes).

ok, great, thank you chicken! i found out what the last problem was involving ev1.net as well. wonderful.


now i'm on my way to sifting through getting to know portsentry and ipchains and all that fun stuff! (and recovering from my small heartattack after running chkrootkit [before i learned of the thing with portsentry] and seeing the bindshell INFECTED in front of me). whew.

thanks again

hmm. ok, how about this one:

Oct 20 10:55:59 ns1 insmod: Warning: kernel-module minor version mismatch ^I/lib/modules/net/bwmgmt.o was compiled for kernel versi$
Oct 20 10:55:59 ns1 insmod: insmod will continue if kernel interface checksums match




i just restarted my server for the first time in 10 days, and this was in my logs.


thanks again.

Take a look at pmfirewall for a nice utility to help with ipchains.


Also, IMO, ditch port-sentry. Last I evaluated it, it was terrible. Portsentry binds every port on your machine -- just looking for an attack -- this actually makes your machine highly visible and look like a hackers goldmine (lots of services running). I think it better to lock down the machine so only a few necessary ports are open, thus not getting flagged in portscans. for nids check out snort.