Re: [cobalt-users] IPs related to hackers

["Carrie Bartkowiak" <ravencarrie@xxxxxxxx>]

This guy keeps trying to get in:
Feb 10 09:08:18 www proftpd[29679]: www.allaboutchoice.com
(pec-190-191.tnt16.me.uunet.de[149.225.190.191]) - USER anonymous (Login
failed): Can't find user.
Feb 10 09:08:19 www proftpd[29679]: www.allaboutchoice.com
(pec-190-191.tnt16.me.uunet.de[149.225.190.191]) - FTP session closed.
Feb 10 09:15:01 www proftpd[29944]: www.allaboutchoice.com
(localhost[127.0.0.1]) - FTP session closed.

I had anonymous ftp on for about an hour the other night while trying out a
new way to backup my site, and after that hour this guy and someone on
sympatico.com.ca just kept trying over and over to get in anonymously.

Just after the last attempt by the above guy, I got a successful login using
one of my user's ids (i've changed the username, obviously):

Feb 10 09:38:54 www proftpd[30992]: 66.51.111.132
(pec-9-170.tnt3.m2.uunet.de[149.225.9.170]) - USER username: Login
successful.
Feb 10 09:42:42 www in.proftpd[31136]: connect from 149.225.9.170
Feb 10 09:42:48 www proftpd[31136]: 66.51.111.132
(pec-9-170.tnt3.m2.uunet.de[149.225.9.170]) - USER username: Login
successful.

Now, this user has a friend who is named Hans who helps her on the site from
time to time. BUT I don't know if Hans is in denmark - and if this is him,
then why is the IP so close to the guy who was trying to get in anonymously
on my main site?
I changed that user's password anyhow, I'll tell her about it later when I
see her on icq.

Btw, installed all of the updates and everything seems to be okay. ("Seems
to" being the operative words.) No appearance of the files that appear when
someone sets in a rootkit. Keeping my fingers crossed. I hate this crap. Why
can't these hackers do something *productive* - if they've got this talent
then they could be making tons of money somewhere, putting it to good use.
Idiots, all of them. Pure, unadulterated idiots.

*sighing*
Carrie