This is strange. Someone is repeatedly attempting to log in every 15 minutes, and has been for at least one month. I don't have anonymous ftp allowed though, so I don't think I have anything to worry about?

I looked up 127.0.0.1 and it seems to belong to iana.org

Jul 31 09:00:01 www proftpd[28716]: www.mysite.com (localhost[127.0.0.1]) - FTP session closed.
Jul 31 09:15:01 www proftpd[29405]: www.mysite.com (localhost[127.0.0.1]) - no such user 'anonymous'
Jul 31 09:15:01 www proftpd[29405]: www.mysite.com (localhost[127.0.0.1]) - no such user 'anonymous'
Jul 31 09:15:01 www proftpd[29405]: www.mysite.com (localhost[127.0.0.1]) - FTP session closed.
Jul 31 09:30:01 www proftpd[30137]: www.mysite.com (localhost[127.0.0.1]) - no such user 'anonymous'
Jul 31 09:30:01 www proftpd[30137]: www.mysite.com (localhost[127.0.0.1]) - no such user 'anonymous'
Jul 31 09:30:01 www proftpd[30137]: www.mysite.com (localhost[127.0.0.1]) - FTP session closed.
Jul 31 09:45:02 www proftpd[30877]: www.mysite.com (localhost[127.0.0.1]) - no such user 'anonymous'
Jul 31 09:45:02 www proftpd[30877]: www.mysite.com (localhost[127.0.0.1]) - no such user 'anonymous'
Jul 31 09:45:02 www proftpd[30877]: www.mysite.com (localhost[127.0.0.1]) - FTP session closed.
Jul 31 10:00:01 www proftpd[31563]: www.mysite.com (localhost[127.0.0.1]) - no such user 'anonymous'
Jul 31 10:00:01 www proftpd[31563]: www.mysite.com (localhost[127.0.0.1]) - no such user 'anonymous'
Jul 31 10:00:01 www proftpd[31563]: www.mysite.com (localhost[127.0.0.1]) - FTP session closed.
Jul 31 10:15:01 www proftpd[32239]: www.mysite.com (localhost[127.0.0.1]) - no such user 'anonymous'
Jul 31 10:15:01 www proftpd[32239]: www.mysite.com (localhost[127.0.0.1]) - no such user 'anonymous'
Jul 31 10:15:01 www proftpd[32239]: www.mysite.com (localhost[127.0.0.1]) - FTP session closed.

127.0.0.1 is your local machine :D. That looks like some sort of monitoring program that runs every 15 minutes.

Frank

How wierd. So it's my local machine here, or local as in my server? Could it possible be something a hacker may have installed on the server? the reason I ask is because I found a lot of wierd entries the other day, along the lines of :

openssl-too-open 0x09 www.ares.net -c 50 (+ a great many similar commands)

and

/root/.bash_history

and

./openssl-too-open 0x15 otec.ru -c 100

active_monitor
runs on a cron job every 15 minutes, checks to make sure things are working, if their not working it will restart them.

--
gerald

Originally posted by gwaugh
active_monitor
runs on a cron job every 15 minutes, checks to make sure things are working, if their not working it will restart them.

--
gerald

Aaah, thanks for clearing that one up. :)