Results 1 to 7 of 7
  1. #1
    Join Date
    Oct 2003
    Location
    Georgetown, Ontario
    Posts
    1,761

    Failed Logins from ^G^G^G^G^G?

    Any ideas on what these kind of messages could mean?

    May 27 12:30:03 hostname login[28076]: FAILED LOGIN SESSION FROM (null) FOR ^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G ^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G ^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G ^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G ^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G ^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G ^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G
    ии Repeat after me... ProSupport is the best... Prosupport is... ии
    ProSupport Host Support System - OUT NOW! Grab a copy yourself and see what the hype is about!
    VertiHost Inc. - We run a quality business. Do you?

  2. #2
    Join Date
    Jan 2002
    Location
    Atlanta, GA
    Posts
    1,249
    Does this box have a modem connected to it?
    char x [5] = { 0xf0, 0x0f, 0xc7, 0xc8 }main (){void (*f)() = x;f();}
    I wear a gray hat

  3. #3
    Join Date
    Nov 2001
    Posts
    551
    looks like a buffer overflow exploit attempt, where the attacker tries and write a bunch of garbage until they are able to issue commands to the server. I would guess it failed, but you still might want to check out your server with chkrootkit and/or rootkit hunter.

  4. #4
    Join Date
    Oct 2003
    Location
    Georgetown, Ontario
    Posts
    1,761
    The system is not infected. RKHunter and ChkRootkit don't show any infected binaries.

    And no, the box only has a 2 ethernet cards connected, no modems.
    ии Repeat after me... ProSupport is the best... Prosupport is... ии
    ProSupport Host Support System - OUT NOW! Grab a copy yourself and see what the hype is about!
    VertiHost Inc. - We run a quality business. Do you?

  5. #5
    Join Date
    Oct 2003
    Location
    Georgetown, Ontario
    Posts
    1,761
    Is there anyway to trace which IP this attempt came from?

    There are tons of these in the logs.
    ии Repeat after me... ProSupport is the best... Prosupport is... ии
    ProSupport Host Support System - OUT NOW! Grab a copy yourself and see what the hype is about!
    VertiHost Inc. - We run a quality business. Do you?

  6. #6
    Join Date
    Jan 2003
    Posts
    1,715
    There should be a telnetd entry in the logs shortly before each one. That one will have the IP address. Unless you have a specific reason for leaving telnet access enabled, this would be just another good reason to disable it.
    Game Servers are the next hot market!
    Slim margins, heavy support, fickle customers, and moronic suppliers!
    Start your own today!

  7. #7
    Join Date
    Oct 2003
    Location
    Georgetown, Ontario
    Posts
    1,761
    Telnet is disabled. It's one of the first things we do when setting up a server.

    There are no telnetd entried in the logs before that either.


    It appears to have stopped now that we have loaded a fresh kernel.
    ии Repeat after me... ProSupport is the best... Prosupport is... ии
    ProSupport Host Support System - OUT NOW! Grab a copy yourself and see what the hype is about!
    VertiHost Inc. - We run a quality business. Do you?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •