Hello,

I have 1 crap server with managed.com which i use for free hosting.

Recently, well a few weeks already i added an account.

I have noticed some strange things in /var/log/messages


every second someone tries to connect through ftp with the username logs@thedomainiadded

of course this does not succeed so the ip in question gets blocked by my apf&bfd and put in the deny hosts.

Altough, every time an ip gets blocked the same situation happends again from a different ip.

my deny hosts has abouit 300 ips listed from this situation...every second there is an attempt...and it gets blocked, and then it happends again under a different IP...

What do you suggest i can do?

i would post a part of the logfile here but its simply too much...i think there are in total about 50k screens with this message ;)

............anyony?

paste an snippet of the log file? could you be misinterpreting something?
I've never heard of anything like this, the changing IP address is particularly strange.

Although, i do know that Cpanel posts a logs@domain.com link in its Log Managment, is there a possibility that you are accessing Cpanel and clicking this link?

no this is not possible.

I am talking about hundreds of attempts to access the ftp under this name and every time a different adres. I am not accessing cpanel its not my account.

If you really want a snippet here it is:


Nov 14 11:05:30 tiger proftpd[8497]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:05:38 tiger proftpd[8516]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:06:30 tiger proftpd[8816]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:06:35 tiger proftpd[8831]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:07:43 tiger proftpd[9186]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:07:51 tiger proftpd[9187]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:08:45 tiger proftpd[9437]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:08:49 tiger proftpd[9445]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:09:51 tiger proftpd[9781]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:09:59 tiger proftpd[9784]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:11:14 tiger proftpd[10015]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:11:21 tiger proftpd[10016]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:11:54 tiger proftpd[11271]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:11:58 tiger proftpd[11272]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:12:58 tiger proftpd[11692]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:13:06 tiger proftpd[11725]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:13:56 tiger proftpd[11925]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:14:05 tiger proftpd[11949]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:14:57 tiger proftpd[12293]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:15:10 tiger proftpd[12357]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:15:58 tiger proftpd[12533]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:16:11 tiger proftpd[12598]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:16:59 tiger proftpd[12853]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:17:14 tiger proftpd[12890]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:18:10 tiger proftpd[13010]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:18:20 tiger proftpd[13033]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:19:22 tiger proftpd[13282]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:19:26 tiger proftpd[13327]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:20:34 tiger proftpd[13674]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:20:41 tiger proftpd[13697]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:21:19 tiger proftpd[14737]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:21:29 tiger proftpd[14776]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:22:22 tiger proftpd[14935]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:22:35 tiger proftpd[14946]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:23:22 tiger proftpd[15175]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:23:31 tiger proftpd[15211]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:24:28 tiger proftpd[15405]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:24:40 tiger proftpd[15433]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:25:27 tiger proftpd[15562]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:25:38 tiger proftpd[15605]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:26:18 tiger proftpd[15772]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:26:26 tiger proftpd[15876]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:26:37 tiger proftpd[16011]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:27:30 tiger proftpd[16254]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:27:43 tiger proftpd[16226]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:27:57 tiger proftpd[16284]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:28:30 tiger proftpd[16390]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:28:44 tiger proftpd[16400]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:29:36 tiger proftpd[16426]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:29:53 tiger proftpd[16484]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:30:07 tiger proftpd[16519]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:30:24 tiger proftpd[16509]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:30:55 tiger proftpd[16631]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:31:06 tiger proftpd[17691]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:31:12 tiger proftpd[17704]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:31:43 tiger proftpd[17900]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:31:59 tiger proftpd[18008]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx1[xxx.xxx.xxx.xxx1]) - no such user 'logs@domain.com'
Nov 14 11:32:16 tiger proftpd[18027]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'
Nov 14 11:32:57 tiger proftpd[18130]: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'logs@domain.com'



This is a log from 14 november...this continues every day..every few seconds with a different IP as the other IP has been blocked.

I compared about 300 ips on openrbl.org and 98% is also listed as open relay.......

Any one has some tips? Since the termination of this account wont help i am affraid. I can only remove this IP they try to connect to from usage maybe that will help?

Something like that happens to me, I log into my FTP and it logs me out after a few. I wish it kept a constant connection, I was in the middle of uploading files and after a while it logged me out in the middle of uploading. HOW can it do that :-\

this is not a user...i think its abuse..

why doesnt any one have an answer?

Oh abuse, EK not sure. Sorry I cant help much.

Just let APF/BFD take care of it =0). I get at least 30 different attempts to break into my server via common usernames and passwords using SSH everyday. (Dev server, not even a live one). APF/BFD just blocks all of these IPs and life goes on.

Originally posted by justadollarhostin
Just let APF/BFD take care of it =0). I get at least 30 different attempts to break into my server via common usernames and passwords using SSH everyday. (Dev server, not even a live one). APF/BFD just blocks all of these IPs and life goes on.

Yeah i understand, but doesnt this use much server resource? or bandwidth?

I get about 300 attempts per day..

shouldn't take that much at all,

have you noticed any lag/load problems lately?

And this is not counting the SSH connections i get from common names...

If i count those too...phew..good lord..lol

Originally posted by justadollarhostin
shouldn't take that much at all,

have you noticed any lag/load problems lately?

yes, before all this my server load was about .30 .40 or something...its a celeron ;-)

Now its about 1.60 up to 20.00 :angry: <-- sometimes...mostly it hoovers around 1.50


The thing is, this server doesnt bother me that much as its used for free hosting...however i am curious about this as i have 5 other servers which i want to be able to stop this fast if this ever happends on them.

Ouch, didn't realize it would be eating up that much resources (like i said my machine is just a dev machine so I don't see any real load issues on it).

1.5 isn't a _horrible_ load, but when you were at .3 it sucks to be up to 1.5.

I'm not sure what to do other than to wait for it to die off, wish i could be of more help, Steve from Rack911, isn't it about time you chimed in?

I've asked cpanel too..they dont know..i am clueless too..hehe...glad its just a managed.com box :D

I would do a cat * of


cd /var/spool/cron


and check if there are any bad cronjobs listed there. It is possible there could be a malicious cronjob running a script that is spoofing ips, unlikely yes, but possible.

Ask them to change your ip.

Ask them to give you two days notice, change your second dns entry, and then have them change the actual ip to your server two days later, and you will get no downtime.