[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Logcheck, IP address
- Subject: [cobalt-security] Logcheck, IP address
- From: "Todd Kirk" <tkirk@xxxxxxxxxxxxxx>
- Date: Tue, 19 Jun 2001 20:50:16 +1000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
How do I chase down an IP address that was reported by Logcheck to FTP in?
If have their IP and I want to see where it originated from so I know if it
is one of my users or a hacker?
The report I got from Logcheck is
Jun 19 18:58:47 *** proftpd[5827]: ***.***.***.***
(CTPP-p-144-134-44-127.prem.tmns.net.au[144.134.44.127]) - FTP session
opened.
Jun 19 19:10:36 *** proftpd[5827]: ***.***.***.***
(CTPP-p-144-134-44-127.prem.tmns.net.au[144.134.44.127]) - FTP no transfer
timeout, disconnected.
Jun 19 19:14:38 *** proftpd[6582]: ***.***.***.***
(CTPP-p-144-134-44-127.prem.tmns.net.au[144.134.44.127]) - FTP session
opened.
Jun 19 19:20:07 *** proftpd[6582]: ***.***.***.***
(CTPP-p-144-134-44-127.prem.tmns.net.au[144.134.44.127]) - FTP no transfer
timeout, disconnected.
Jun 19 19:30:17 *** proftpd[7217]: ***.***.***.***
(CTPP-p-144-134-44-127.prem.tmns.net.au[144.134.44.127]) - FTP session
opened.
Jun 19 19:36:08 *** proftpd[7451]: ***.***.***.***
(211.221.131.178[211.221.131.178]) - FTP session opened.
Jun 19 19:36:08 *** proftpd[7451]: ***.***.***.***
(211.221.131.178[211.221.131.178]) - no such user 'anonymous'
Jun 19 19:36:08 *** last message repeated 4 times
Jun 19 19:36:09 *** proftpd[7451]: ***.***.***.***
(211.221.131.178[211.221.131.178]) - FTP session closed.
Jun 19 19:39:34 *** proftpd[7217]: ***.***.***.***
(CTPP-p-144-134-44-127.prem.tmns.net.au[144.134.44.127]) - FTP no transfer
timeout, disconnected.
I see two IP addresses but I want to chase down the 144.134.44.127 IP.
regards,
Todd Kirk