# What do these logs mean?



## asdfqwerty (Feb 3, 2005)

Just Wondering.....

Mar 13 23:25:38 hostname sshd[17270]: reverse mapping checking getaddrinfo for customer-reverse-entry.69.59.172.196 failed - POSSIBLE BREAKIN ATTEMPT!
Mar 13 23:25:42 hostname sshd[17273]: reverse mapping checking getaddrinfo for customer-reverse-entry.69.59.172.196 failed - POSSIBLE BREAKIN ATTEMPT!
Mar 13 23:25:45 hostname sshd[17276]: reverse mapping checking getaddrinfo for customer-reverse-entry.69.59.172.196 failed - POSSIBLE BREAKIN ATTEMPT!
Mar 13 23:25:48 hostname sshd[17279]: reverse mapping checking getaddrinfo for customer-reverse-entry.69.59.172.196 failed - POSSIBLE BREAKIN ATTEMPT!
Mar 13 23:25:51 hostname sshd[17282]: reverse mapping checking getaddrinfo for customer-reverse-entry.69.59.172.196 failed - POSSIBLE BREAKIN ATTEMPT!
Mar 13 23:25:54 hostname sshd[17285]: reverse mapping checking getaddrinfo for customer-reverse-entry.69.59.172.196 failed - POSSIBLE BREAKIN ATTEMPT!
Mar 13 23:25:58 hostname sshd[17287]: reverse mapping checking getaddrinfo for customer-reverse-entry.69.59.172.196 failed - POSSIBLE BREAKIN ATTEMPT!
Mar 13 23:26:01 hostname sshd[17289]: reverse mapping checking getaddrinfo for customer-reverse-entry.69.59.172.196 failed - POSSIBLE BREAKIN ATTEMPT!
Mar 13 23:26:04 hostname sshd[17291]: reverse mapping checking getaddrinfo for customer-reverse-entry.69.59.172.196 failed - POSSIBLE BREAKIN ATTEMPT!


----------



## Squashman (Apr 4, 2003)

I have never seen that so I am not sure. I would start google searching for an answer. That is how I solve most of my problems.
http://www.webservertalk.com/archive94-2004-11-446383.html


----------



## CouchMaster (May 26, 2003)

Are those logs from your firewall? If so you could do a trace/whois.


----------



## jd_957 (Dec 30, 2004)

have no idea what the logs are. but it seems to be some type of marketing site. i copied the following from the site itself. http://69.59.172.196/

FusionQuest is a marketing powerhouse that will enable you to harness the incredible power of referral marketing through cutting edge affiliate software, while at the same time boosting your search engine ranking by enabling links from your affiliates to count toward YOUR link popularity.
Imagine having hundreds, or even thousands of marketing partners linking to and promoting your website, driving highly qualified traffic to your bottom line. And, best of all, you pay these partners nothing unless they produce results.

The UltraLinks Advantage!
UltraLinks from FusionQuest are affiliate links that are clean links. They have no redirection and no query string. They are direct links to your home page (using your domain rather than the affiliate software solution provider) and are therefore links that can guarantee proper search engine link popularity.


----------



## deuce868 (Nov 2, 2000)

Looks like too many invalid login attempts to ssh and ssh was trying to reverse lookup their IP and it wouldn't resolve to a valid DNS entry.


----------



## asdfqwerty (Feb 3, 2005)

Well...I was just asking because it looked different from the regular ssh login attempts:

Mar 13 17:12:59 hostname sshd[16566]: Failed password for invalid user jordan from ::ffff:82.89.62.76 port 44666 ssh2
Mar 13 17:13:02 hostname sshd[16569]: Invalid user michael from ::ffff:82.89.62.76
Mar 13 17:13:04 hostname sshd[16569]: Failed password for invalid user michael from ::ffff:82.89.62.76 port 44757 ssh2
Mar 13 17:13:07 hostname sshd[16572]: Invalid user nicole from ::ffff:82.89.62.76
Mar 13 17:13:09 hostname sshd[16572]: Failed password for invalid user nicole from ::ffff:82.89.62.76 port 44841 ssh2
Mar 13 17:13:11 hostname sshd[16575]: Invalid user daniel from ::ffff:82.89.62.76
Mar 13 17:13:14 hostname sshd[16575]: Failed password for invalid user daniel from ::ffff:82.89.62.76 port 44924 ssh2
Mar 13 17:13:16 hostname sshd[16578]: Invalid user andrew from ::ffff:82.89.62.76

Just wondering what was different about that one that it alerted me of POSSIBLE BREAKIN ATTEMPT, since I haven't seen that before.

And just in case anyone cares:

whois 69.59.172.196 returns this:

OrgName: ServePath, LLC
OrgID: SERVEP
Address: 650 Townsend Street
Address: Suite 252
City: San Francisco
StateProv: CA
PostalCode: 94103
Country: US

ReferralServer: rwhois://rwhois.servepath.com:4321

NetRange: 69.59.128.0 - 69.59.191.255
CIDR: 69.59.128.0/18
NetName: SERVEPATH-BLK2
NetHandle: NET-69-59-128-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS.SERVEPATH.COM
NameServer: NS1.SERVEPATH.COM
Comment: http://www.servepath.com/
RegDate: 2003-06-24
Updated: 2003-10-06

NOCHandle: SN458-ARIN
NOCName: NOC, ServePath, ServePath
NOCPhone: +1-415-252-3600
NOCEmail: [email protected]

OrgTechHandle: SN458-ARIN
OrgTechName: NOC, ServePath, ServePath
OrgTechPhone: +1-415-252-3600
OrgTechEmail: [email protected]

# ARIN WHOIS database, last updated 2005-03-15 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


----------



## jd_957 (Dec 30, 2004)

is this a site/company you do busiess with?

what are you attempting to do when the above comes up?

is it causing any other problems with your computer?

what do you need help with?

as i think a few of us that already answered this thread are confused.


----------



## asdfqwerty (Feb 3, 2005)

jd_957 said:


> is this a site/company you do busiess with?


No. Never heard of them.



> what are you attempting to do when the above comes up?


Nothing, it's in the system logs



> is it causing any other problems with your computer?


No, just curious.



> what do you need help with?


Nothing really, just curious.


----------



## jd_957 (Dec 30, 2004)

then run HJT from here. post a log. something maybe there that should not be. DO NOT DELETE ANYTHING. someone will take a look at it.

http://www.tomcoyote.org/hjt/


----------



## asdfqwerty (Feb 3, 2005)

HJT???? I'm running Linux......This is the Linux forum....


----------



## jd_957 (Dec 30, 2004)

sorry for trying to help.


----------



## asdfqwerty (Feb 3, 2005)

jd_957 said:


> sorry for trying to help.


HJT is a Windows program. I'm running Linux. This is the Linux forum. I was just confused. Sorry. I didn't mean to be rude, I was just confused.


----------

