analise de arquivo de log

1. analise de arquivo de log

Fábio Reis
fabior

(usa Outra)

Enviado em 26/04/2010 - 14:05h

Olá.

Analisando o arquivo de log syslog do meu servidor encotrei as seguintes linhas:

Apr 22 08:04:48 localhost portsentry[2977]: attackalert: Connect from host: 71.62.66.251/71.62.66.251 to TCP port: 635
Apr 22 08:04:48 localhost portsentry[2977]: attackalert: Ignoring TCP response per configuration file setting.


Apr 23 23:42:36 localhost portsentry[2977]: attackalert: Connect from host: 76.188.152.5/76.188.152.5 to TCP port: 635
Apr 23 23:42:36 localhost portsentry[2977]: attackalert: Ignoring TCP response per configuration file setting.


Apr 23 16:03:29 localhost postfix/smtpd[31009]: connect from 123-204-127-189.adsl.dynamic.seed.net.tw[123.204.127.189]
Apr 23 16:03:29 localhost postfix/smtpd[31006]: connect from 123-204-127-189.adsl.dynamic.seed.net.tw[123.204.127.189]
Apr 23 16:03:29 localhost postfix/smtpd[31009]: lost connection after CONNECT from 123-204-127-189.adsl.dynamic.seed.net.tw[123.204.127.189]
Apr 23 16:03:29 localhost postfix/smtpd[31009]: disconnect from 123-204-127-189.adsl.dynamic.seed.net.tw[123.204.127.189]
Apr 23 16:03:29 localhost postfix/smtpd[31006]: lost connection after CONNECT from 123-204-127-189.adsl.dynamic.seed.net.tw[123.204.127.189]
Apr 23 16:03:29 localhost postfix/smtpd[31006]: disconnect from 123-204-127-189.adsl.dynamic.seed.net.tw[123.204.127.189]
Apr 23 16:06:49 localhost postfix/anvil[31010]: statistics: max connection rate 2/60s for (smtp:123.204.127.189) at Apr 23 16:03:29
Apr 23 16:06:49 localhost postfix/anvil[31010]: statistics: max connection count 2 for (smtp:123.204.127.189) at Apr 23 16:03:29
Apr 23 16:06:49 localhost postfix/anvil[31010]: statistics: max cache size 1 at Apr 23 16:03:29


Apr 25 21:44:02 localhost portsentry[2977]: attackalert: Connect from host: 205.209.161.180/205.209.161.180 to TCP port: 635
Apr 25 21:44:02 localhost portsentry[2977]: attackalert: Ignoring TCP response per configuration file setting.
Apr 25 21:44:03 localhost portsentry[2977]: attackalert: Connect from host: 205.209.161.180/205.209.161.180 to TCP port: 635
Apr 25 21:44:03 localhost portsentry[2977]: attackalert: Host: 205.209.161.180 is already blocked. Ignoring


Apr 25 17:17:01 localhost /USR/SBIN/CRON[6122]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Apr 25 17:19:36 localhost postfix/smtpd[6124]: connect from unknown[59.62.108.98]
Apr 25 17:19:36 localhost postfix/smtpd[6124]: lost connection after CONNECT from unknown[59.62.108.98]
Apr 25 17:19:36 localhost postfix/smtpd[6124]: disconnect from unknown[59.62.108.98]
Apr 25 17:22:56 localhost postfix/anvil[6126]: statistics: max connection rate 1/60s for (smtp:59.62.108.98) at Apr 25 17:19:36
Apr 25 17:22:56 localhost postfix/anvil[6126]: statistics: max connection count 1 for (smtp:59.62.108.98) at Apr 25 17:19:36
Apr 25 17:22:56 localhost postfix/anvil[6126]: statistics: max cache size 1 at Apr 25 17:19:36
Apr 25 17:24:43 localhost postfix/smtpd[6129]: connect from unknown[61.136.60.33]
Apr 25 17:24:43 localhost postfix/smtpd[6129]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:24:43 localhost postfix/smtpd[6129]: disconnect from unknown[61.136.60.33]
Apr 25 17:24:44 localhost postfix/smtpd[6129]: connect from unknown[61.136.60.33]
Apr 25 17:24:45 localhost postfix/smtpd[6129]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:24:45 localhost postfix/smtpd[6129]: disconnect from unknown[61.136.60.33]
Apr 25 17:24:46 localhost postfix/smtpd[6129]: connect from unknown[61.136.60.33]
Apr 25 17:24:47 localhost postfix/smtpd[6129]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:24:47 localhost postfix/smtpd[6129]: disconnect from unknown[61.136.60.33]
Apr 25 17:24:47 localhost postfix/smtpd[6129]: connect from unknown[61.136.60.33]
Apr 25 17:24:48 localhost postfix/smtpd[6129]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:24:48 localhost postfix/smtpd[6129]: disconnect from unknown[61.136.60.33]
Apr 25 17:24:48 localhost postfix/smtpd[6129]: connect from unknown[61.136.60.33]
Apr 25 17:24:49 localhost postfix/smtpd[6129]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:24:49 localhost postfix/smtpd[6129]: disconnect from unknown[61.136.60.33]
Apr 25 17:24:50 localhost postfix/smtpd[6129]: connect from unknown[61.136.60.33]
Apr 25 17:24:51 localhost postfix/smtpd[6129]: connect from unknown[61.136.60.33]
Apr 25 17:24:53 localhost postfix/smtpd[6132]: connect from unknown[61.136.60.33]
Apr 25 17:24:53 localhost postfix/smtpd[6132]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:24:53 localhost postfix/smtpd[6132]: disconnect from unknown[61.136.60.33]
Apr 25 17:24:54 localhost postfix/smtpd[6129]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:24:54 localhost postfix/smtpd[6129]: disconnect from unknown[61.136.60.33]
Apr 25 17:24:54 localhost postfix/smtpd[6132]: connect from unknown[61.136.60.33]
Apr 25 17:24:54 localhost postfix/smtpd[6132]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:24:54 localhost postfix/smtpd[6132]: disconnect from unknown[61.136.60.33]
Apr 25 17:24:55 localhost postfix/smtpd[6129]: connect from unknown[61.136.60.33]
Apr 25 17:24:56 localhost postfix/smtpd[6129]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:24:56 localhost postfix/smtpd[6129]: disconnect from unknown[61.136.60.33]
Apr 25 17:24:57 localhost postfix/smtpd[6132]: connect from unknown[61.136.60.33]
Apr 25 17:24:57 localhost postfix/smtpd[6132]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:24:57 localhost postfix/smtpd[6132]: disconnect from unknown[61.136.60.33]
Apr 25 17:24:58 localhost postfix/smtpd[6129]: connect from unknown[61.136.60.33]
Apr 25 17:24:59 localhost postfix/smtpd[6129]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:24:59 localhost postfix/smtpd[6129]: disconnect from unknown[61.136.60.33]
Apr 25 17:25:00 localhost postfix/smtpd[6132]: connect from unknown[61.136.60.33]
Apr 25 17:25:00 localhost postfix/smtpd[6132]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:25:00 localhost postfix/smtpd[6132]: disconnect from unknown[61.136.60.33]
Apr 25 17:25:01 localhost postfix/smtpd[6129]: connect from unknown[61.136.60.33]
Apr 25 17:25:01 localhost postfix/smtpd[6129]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:25:01 localhost postfix/smtpd[6129]: disconnect from unknown[61.136.60.33]
Apr 25 17:25:02 localhost postfix/smtpd[6132]: connect from unknown[61.136.60.33]
Apr 25 17:25:03 localhost postfix/smtpd[6132]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:25:03 localhost postfix/smtpd[6132]: disconnect from unknown[61.136.60.33]
Apr 25 17:25:04 localhost postfix/smtpd[6129]: connect from unknown[61.136.60.33]
Apr 25 17:25:04 localhost postfix/smtpd[6129]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:25:04 localhost postfix/smtpd[6129]: disconnect from unknown[61.136.60.33]
Apr 25 17:25:05 localhost postfix/smtpd[6132]: connect from unknown[61.136.60.33]
Apr 25 17:25:06 localhost postfix/smtpd[6132]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:25:06 localhost postfix/smtpd[6132]: disconnect from unknown[61.136.60.33]
Apr 25 17:25:07 localhost postfix/smtpd[6129]: connect from unknown[61.136.60.33]
Apr 25 17:25:07 localhost postfix/smtpd[6129]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:25:07 localhost postfix/smtpd[6129]: disconnect from unknown[61.136.60.33]
Apr 25 17:25:08 localhost postfix/smtpd[6132]: connect from unknown[61.136.60.33]
Apr 25 17:25:08 localhost postfix/smtpd[6132]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:25:08 localhost postfix/smtpd[6132]: disconnect from unknown[61.136.60.33]
Apr 25 17:25:09 localhost postfix/smtpd[6129]: connect from unknown[61.136.60.33]
Apr 25 17:25:10 localhost postfix/smtpd[6129]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:25:10 localhost postfix/smtpd[6129]: disconnect from unknown[61.136.60.33]
Apr 25 17:25:11 localhost postfix/smtpd[6132]: connect from unknown[61.136.60.33]
Apr 25 17:25:11 localhost postfix/smtpd[6132]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:25:11 localhost postfix/smtpd[6132]: disconnect from unknown[61.136.60.33]
Apr 25 17:25:12 localhost postfix/smtpd[6129]: connect from unknown[61.136.60.33]
Apr 25 17:25:13 localhost postfix/smtpd[6129]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:25:13 localhost postfix/smtpd[6129]: disconnect from unknown[61.136.60.33]
Apr 25 17:25:13 localhost postfix/smtpd[6132]: connect from unknown[61.136.60.33]
Apr 25 17:25:14 localhost postfix/smtpd[6132]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:25:14 localhost postfix/smtpd[6132]: disconnect from unknown[61.136.60.33]
Apr 25 17:25:15 localhost postfix/smtpd[6129]: connect from unknown[61.136.60.33]
Apr 25 17:25:15 localhost postfix/smtpd[6129]: lost connection after UNKNOWN from unknown[61.136.60.33]
....
....
Apr 25 17:25:51 localhost postfix/smtpd[6129]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:25:51 localhost postfix/smtpd[6129]: disconnect from unknown[61.136.60.33]
Apr 25 17:25:52 localhost postfix/smtpd[6132]: connect from unknown[61.136.60.33]
Apr 25 17:25:53 localhost postfix/smtpd[6132]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:25:53 localhost postfix/smtpd[6132]: disconnect from unknown[61.136.60.33]
Apr 25 17:25:54 localhost postfix/smtpd[6129]: connect from unknown[61.136.60.33]
Apr 25 17:25:54 localhost postfix/smtpd[6129]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:25:54 localhost postfix/smtpd[6129]: disconnect from unknown[61.136.60.33]
Apr 25 17:25:55 localhost postfix/smtpd[6132]: connect from unknown[61.136.60.33]
Apr 25 17:25:56 localhost postfix/smtpd[6132]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:25:56 localhost postfix/smtpd[6132]: disconnect from unknown[61.136.60.33]
Apr 25 17:25:56 localhost postfix/smtpd[6129]: connect from unknown[61.136.60.33]
Apr 25 17:25:57 localhost postfix/smtpd[6129]: lost connection after UNKNOWN from unknown[61.136.60.33]
Apr 25 17:25:57 localhost postfix/smtpd[6129]: disconnect from unknown[61.136.60.33]
Apr 25 17:29:17 localhost postfix/anvil[6131]: statistics: max connection rate 44/60s for (smtp:61.136.60.33) at Apr 25 17:25:43
Apr 25 17:29:17 localhost postfix/anvil[6131]: statistics: max connection count 2 for (smtp:61.136.60.33) at Apr 25 17:24:53
Apr 25 17:29:17 localhost postfix/anvil[6131]: statistics: max cache size 1 at Apr 25 17:24:43


Apr 25 22:49:02 localhost postfix/smtpd[6419]: connect from 118-166-221-145.dynamic.hinet.net[118.166.221.145]
Apr 25 22:49:03 localhost postfix/smtpd[6419]: NOQUEUE: reject: RCPT from 118-166-221-145.dynamic.hinet.net[118.166.221.145]: 554 5.7.1 <vkihwpdh@yahoo.com.tw>: Relay access denied; from=<z2007tw@yahoo.com.tw> to=<vkihwpdh@yahoo.com.tw> proto=SMTP helo=<200.143.198.37>
Apr 25 22:49:04 localhost postfix/smtpd[6419]: lost connection after RCPT from 118-166-221-145.dynamic.hinet.net[118.166.221.145]
Apr 25 22:49:04 localhost postfix/smtpd[6419]: disconnect from 118-166-221-145.dynamic.hinet.net[118.166.221.145]
Apr 25 22:52:24 localhost postfix/anvil[6421]: statistics: max connection rate 1/60s for (smtp:118.166.221.145) at Apr 25 22:49:02
Apr 25 22:52:24 localhost postfix/anvil[6421]: statistics: max connection count 1 for (smtp:118.166.221.145) at Apr 25 22:49:02
Apr 25 22:52:24 localhost postfix/anvil[6421]: statistics: max cache size 1 at Apr 25 22:49:02



Apr 26 01:35:05 localhost portsentry[2977]: attackalert: Connect from host: 205.209.161.180/205.209.161.180 to TCP port: 635
Apr 26 01:35:05 localhost portsentry[2977]: attackalert: Host: 205.209.161.180 is already blocked. Ignoring
Apr 26 01:35:06 localhost portsentry[2977]: attackalert: Connect from host: 205.209.161.180/205.209.161.180 to TCP port: 635
Apr 26 01:35:06 localhost portsentry[2977]: attackalert: Host: 205.209.161.180 is already blocked. Ignoring

o que é isso? devo me preoucupar?



  






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts