FTP logfile shows strange activity at login

Applications Cybersecurity
1

Has anyone seen or know what is causing this FTP log file line-item?

3 times when I successfully logged into FTP today, the log file shows a server response of a wrong password (530) to an IP address that is not mine... Below are FTP Log-file entries. I have removed my username & IP address:

[2009/09/01 09:46:28] my_username 75.MY.IP.XXX: C="USER my_username" B=- S=331
[2009/09/01 09:46:28] my_username 74.9.212.42: C="PASS (hidden)" B=- S=530
[2009/09/01 09:46:30] my_username 75.MY.IP.XXX: C="PASS (hidden)" B=- S=230
[2009/09/01 09:46:30] my_username 75.MY.IP.XXX: C="FEAT" B=- S=211

-----------

[2009/09/01 10:13:39] my_username 75.MY.IP.XXX: C="USER my_username" B=- S=331
[2009/09/01 10:13:39] my_username 206.174.127.8: C="PASS (hidden)" B=- S=530
[2009/09/01 10:13:41] my_username 75.MY.IP.XXX: C="PASS (hidden)" B=- S=230
[2009/09/01 10:13:41] my_username 75.MY.IP.XXX: C="FEAT" B=- S=211

-----------

[2009/09/01 10:28:15] my_username 75.MY.IP.XXX: C="USER my_username" B=- S=331
[2009/09/01 10:28:15] my_username 69.229.165.99: C="PASS (hidden)" B=- S=530
[2009/09/01 10:28:17] my_username 75.MY.IP.XXX: C="PASS (hidden)" B=- S=230
[2009/09/01 10:28:17] my_username 75.MY.IP.XXX: C="FEAT" B=- S=211

-----------

Line 1: server acknowledges good username (331) from my IP address.
Line 2: always at the same time stamp, the server tells someone else's IP address (associated with various ISPs around the country) that the password was refused (530).
Line 3: a few seconds later, the password I sent is accepted (230) from my IP address.
Line 4: my FTP client successfully starts its session...

Any ideas what's causing this would be appreciated!
Thank you.

2

Try running a whois against each unexpected IP address but one thought is that there is a DNS problem causing "odd" IP addresses to turn up for the name of your host perhaps?

3

Thank you for the reply Tony.

DNS is an interesting thought. There's a chance that could explain the "odd" IP addresses. I don't know enough to say how though, or if it would also explain the refused password log item as well. It makes me think that something somewhere is miss-configured, poorly programmed or someone is being naughty.

For what it's worth, WhoIs says that the three "odd" IP addresses are assigned to three different ISPs around the USA: PaeTec Communications, General Communication and AT&T Internet Services.

The extra IP address and refused password code don't show up for every log-in attempt I make, only some.