Connection Attempts

["Jeremy Hoover" <hoover () gti-bti com>]

Today I was going through my server logs.  And I came across this.

Jan 14 11:46:51 penguin ftp(pam_unix)[7256]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=63.240. xxx.xxx
Jan 14 11:46:53 penguin ftpd: 63.240.xxx.xxx: connected: IDLE
$
Jan 14 11:47:06 penguin ftp(pam_unix)[7256]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=63.240.xxx.xxx  user=xxxxxx
Jan 14 11:47:09 penguin ftpd: 63.240.xxx.xxx: connected: IDLE
$
Jan 14 11:47:22 penguin ftp(pam_unix)[7256]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=63.240.xxx.xxx  user=xxxxxx
Jan 14 11:47:24 penguin ftpd: 63.240.xxx.xxx: connected: IDLE
$
Jan 14 11:47:35 penguin ftp(pam_unix)[7256]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=63.240.xxx.xxx  user=xxxxxx
Jan 14 11:47:37 penguin ftpd: 63.240.xxx.xxx: connected: IDLE
$
Jan 14 11:47:47 penguin ftpd: 63.240.xxx.xxx: connected: IDLE
$
Jan 14 11:47:47 penguin ftp(pam_unix)[7256]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=63.240.xxx.xxx  user=root
Jan 14 11:47:49 penguin ftpd: 63.240.xxx.xxx: connected: IDLE
$
Jan 14 11:47:49 penguin ftpd: 63.240.xxx.xxx: connected: IDLE

Normally this wouldn't be a problem, get tons of them everyday except this
attempt is coming from one of our Competing Corporations.
On Dec. 26th, I found a syn flood coming from the same ip.   What actions
should I take?  What kind of legal matters are involved in
this.  As I dig deeper, I keep finding connection attempts.  There is NO
reason for them to be trying to access our servers.

Thanks for any help.
Jeremy Hoover



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com