The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

security violation?

Discussion in 'Security' started by totalufo, Mar 4, 2002.

  1. totalufo

    totalufo Well-Known Member

    Joined:
    Jan 17, 2002
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    I know everybody gets these long emails everyday but I got one this morning that was very strange considering this is a brand new box. I had just installed cpanel on it last night and this morning, I got this. Please read it and tell me what you think.

    Security Violations
    =-=-=-=-=-=-=-=-=-=
    Mar 3 21:56:59 localhost named: named shutdown failed
    Mar 3 21:56:59 localhost named: named shutdown failed
    Mar 4 01:19:03 localhost chkservd: chkservd shutdown succeeded

    Unusual System Events
    =-=-=-=-=-=-=-=-=-=-=
    Mar 3 05:04:27 localhost proftpd[29862]: localhost.localdomain (koenig.socsci.buffalo.edu[128.205.98.23]) - FTP session opened.
    Mar 3 05:07:05 localhost proftpd[29894]: localhost.localdomain (koenig.socsci.buffalo.edu[128.205.98.23]) - FTP session opened.
    Mar 3 08:26:43 localhost proftpd[30837]: localhost.localdomain (tturc.hsc.usc.edu[128.125.169.150]) - FTP session opened.
    Mar 3 09:04:44 localhost proftpd[31000]: localhost.localdomain (209.117.204.35[209.117.204.35]) - FTP session opened.
    Mar 3 09:07:23 localhost proftpd[31019]: localhost.localdomain (209.117.204.35[209.117.204.35]) - FTP session opened.
    Mar 3 17:32:09 localhost proftpd[918]: localhost.localdomain (port-213-20-128-157.reverse.qdsl-home.de[213.20.128.157]) - FTP session opened.
    Mar 3 17:32:09 localhost proftpd[918]: localhost.localdomain (port-213-20-128-157.reverse.qdsl-home.de[213.20.128.157]) - ftp: Directory ~ftp/ is not accessible.
    Mar 3 21:14:51 localhost sshd(pam_unix)[1967]: session opened for user root by (uid=0)
    Mar 3 21:19:26 localhost sshd(pam_unix)[1967]: session closed for user root
    Mar 3 21:38:06 localhost proftpd[2288]: localhost.localdomain (localhost.localdomain[127.0.0.1]) - FTP session opened.
    Mar 3 21:46:26 localhost proftpd[2318]: localhost.localdomain (localhost.localdomain[127.0.0.1]) - FTP session opened.
    Mar 3 21:54:46 localhost proftpd[2413]: localhost.localdomain (localhost.localdomain[127.0.0.1]) - FTP session opened.
    Mar 3 21:56:59 localhost named[2489]: using 1 CPU
    Mar 3 21:56:59 localhost named[2492]: loading configuration from '/etc/named.conf'
    Mar 3 21:56:59 localhost named[2492]: the default for the 'auth-nxdomain' option is now 'no'
    Mar 3 21:56:59 localhost named[2492]: no IPv6 interfaces found

    The only thing I can think of is that my IP for this machine was being used by someone else. Anything I have to worry about?

    Thanks!
     
  2. feanor

    feanor Well-Known Member

    Joined:
    Aug 13, 2001
    Messages:
    836
    Likes Received:
    0
    Trophy Points:
    16
    When you see logins to proftpd via localhost or the machine IP or hostname, it is just the machine checking itself to make sure proftpd is running......

    I think this is in conjunction with chkservd or whatever else keeps those service status icons up-to-date in your WHManager....

    it's normal, if that is what you're referring to.
     
  3. totalufo

    totalufo Well-Known Member

    Joined:
    Jan 17, 2002
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    ok. Thanks. I was just curious because some of the IP's were from .edu's.
     
Loading...

Share This Page