syslog

eliallen
eliallen used Ask the Experts™
on
What does this mean (copied fron the syslog on unix server)
Oct 20 23:29:05 syracuse fct_nbsd[19761]: Connection from (67.124.137.93)
Oct 21 00:54:57 syracuse fct_nbsd[20167]: Connection from (67.124.137.93)
Oct 21 00:54:57 syracuse fct_smbd[20168]: MY-I8XBLGBF5K3B: fct_smbd -n MY-I8XBLGBF5K3B
Oct 21 00:54:58 syracuse fct_smbd[20168]: MY-I8XBLGBF5K3B: Connection reset by client
Oct 21 04:44:24 syracuse fct_vtpd[27944]: receiver exiting because of Sender exit
Oct 21 04:44:24 syracuse fct_vtpd[27940]: facetwin vtp: Program exit.

Was my server accessed by 67.124.137.93?
 What is a good nslookup program?
Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
This is all I could find.  Maybe it will help.
You can get info on that ip from:  http://www.samspade.org/

http://news.spamcop.net/pipermail/spamcop-geeks/2002-December/003520.html

Commented:
Take a look at http://www.zoneedit.com/
It look like is being probed FacetWin/Samba connections.

Have a look at:
http://news.spamcop.net/pipermail/spamcop-geeks/2002-December/003520.html
http://news.spamcop.net/pipermail/spamcop-geeks/2002-December/003521.html
http://www.facetcorp.com/images/pdf/fwsecure.pdf

You need to check your logs, "cksum" to verify binary program such as netstat, ifconfig, ps, su, ls, find ....

If the system has been hacked, I suggested that rebuild from a reliable backup, or fresh
installed , and ask all your users change their passwd, disable unwanted service, etc, etc.


Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Commented:
I would log and track all unwanted connetions, assuming your system has a public IP.  Work with your router guys, and maybe even your abuse departement.  They can block ip ranges at the router.. the abuse departement can work with the service provider... in the case it's Pacific Bell... and they will warn their user and possibly even cancel their account.   Assuming your ip is public, that's really the best you can do.  If your abuse department is on their toes, there are huge ip ranges that are typically blocked specifically those coming from asia and korea.
From the timestamps it looks like a probe, but not a "successful" one. FacetWin done right should be safe, so you should be safe, but perhaps a look to limit SMB access to the server (to only allow ... allowed clients through router/firewall) would be a prudent reaction.

-- Glenn

Commented:
It looks like some tried to hack your system.

These logs messages as suggested in above comments are from Facetbin.
ip address traceroute suggest that this was done by some user who got ip connection from pacbell DSL. u would not be able to know about user unless u contact pacbell DSL guys.
as logs also suggested user got connected with the username MY-I8XBLGBF5K3B.
it was a ftp connection.

tryt to put firewall or start using SSH for all login activities.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial