Is this a concerted attempt to hack into box?

[melsworld]

Hi everyone,

Below is an excerpt from my daily server log do you reckon this is a definite attempt to hack into the box if so what other steps should I be taking to beef up security and can anything be done about this domain where attempts have come from

I have a number of domains on the box of which use email and all of which are under my control

Mel

--------------------- pam_unix Begin ------------------------

sshd:
Authentication Failures:
unknown (202.152.180.54): 175 Time(s)
root (202.152.180.54): 25 Time(s)
apache (202.152.180.54): 2 Time(s)
ftp (202.152.180.54): 2 Time(s)
mysql (202.152.180.54): 2 Time(s)
named (202.152.180.54): 2 Time(s)
root (adsl-76-217-74-102.dsl.chcgil.sbcglobal.net): 2 Time(s)
adm (202.152.180.54): 1 Time(s)
bin (202.152.180.54): 1 Time(s)
daemon (202.152.180.54): 1 Time(s)
games (202.152.180.54): 1 Time(s)
gopher (202.152.180.54): 1 Time(s)
halt (202.152.180.54): 1 Time(s)
lp (202.152.180.54): 1 Time(s)
mail (202.152.180.54): 1 Time(s)
mailman (202.152.180.54): 1 Time(s)
mailnull (202.152.180.54): 1 Time(s)
news (202.152.180.54): 1 Time(s)
nfsnobody (202.152.180.54): 1 Time(s)
nobody (202.152.180.54): 1 Time(s)
operator (202.152.180.54): 1 Time(s)
rpc (202.152.180.54): 1 Time(s)
rpcuser (202.152.180.54): 1 Time(s)
rpm (202.152.180.54): 1 Time(s)
shutdown (202.152.180.54): 1 Time(s)
smmsp (202.152.180.54): 1 Time(s)
sshd (202.152.180.54): 1 Time(s)
sync (202.152.180.54): 1 Time(s)
uucp (202.152.180.54): 1 Time(s)
Invalid Users:
Unknown Account: 175 Time(s)


---------------------- pam_unix End -------------------------

Failed logins from:
76.217.74.102 (adsl-76-217-74-102.dsl.chcgil.sbcglobal.net): 2 times
202.152.180.54: 55 times

Illegal users from:
202.152.180.54: 175 times


Received disconnect:
11: Bye Bye : 229 Time(s)

**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user recruit : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user administrator : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user susan : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user info : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user mike : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user alan : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user library : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user adam : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user postmaster : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user agent : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user john : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user list : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user xgridcontroller : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tony : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user stephen : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user appserver : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user alex : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user test : 9 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user george : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user virus : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user admins : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user webmaster : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user admin : 13 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user clamav : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user visitor : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user search : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user webadmin : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user frank : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user party : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user danny : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user michael : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jeff : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user irc : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user amavisd : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sunny : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user shop : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user brett : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user snort : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user backup : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user samba : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user users : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user cyrusimap : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user securityagent : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user username : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user alias : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jabber : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user richard : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user windowserver : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user eppc : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user radiomail : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user amanda : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user cyrus : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user newsletter : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user steven : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user webpop : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user master : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sgi : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user office : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user pgsql : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user aptproxy : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user telnetd : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sales : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user zzz : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user angel : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sys : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user spam : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user linux : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user wwwrun : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user xgridagent : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user oracle : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user desktop : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user data : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ident : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user paul : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user web : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user httpd : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user postfix : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user staff : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user www-data : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user gnats : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user proxy : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ftpuser : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user divine : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user core : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sara : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user appowner : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user robert : 1 time(s)

Plus a whole host of other names

---------------------- SSHD End -------------------------

[nyjimbo]

Attacking a box via SSH is common, as a matter of fact most of it is done by bots on infected pc's where the owners dont even know its happening.

You have password authentication instead of something more secure like using keys. Do a search on securing your server or sshd on this forum and you will find many threads on how to do this.

[melsworld]

As a follow up I have just run chkroot and it came up with this

Checking `bindshell'... INFECTED (PORTS: 465)

What action do I need to take

Thanks Mel

[mtindor]

As a follow up I have just run chkroot and it came up with this

Checking `bindshell'... INFECTED (PORTS: 465)

What action do I need to take

Thanks Mel

If you have questions like this, I think the action you need to take is to find an actual admin to handle the box. Don't take that the wrong way. It's just that every time you see something pop up a message you can't just go asking somebody else to provide the answer without trying to find out the answer yourself (Google is your friend). You won't learn the ins and outs that way.

With that said, the chkroot report is _likely_ a false positive (i.e. not actually a problem).

It's detecting that something is bound to port 465 - likely exim. On Cpanel boxes, usually SMTP over SSL (smtps) is bound to TCP 465.

Type this at a root prompt: lsof -n|grep smtps

If it returns something like this, then you are alright - it's just Exim.

exim 16251 mailnull 3u IPv4 46465113 TCP *:smtps (LISTEN)

Mike

[melsworld]

Thanks for your advice Mike and yes it was exim as you suggested

Mel

[weetabix]

if you lack bruteforce detection and blocking of them, you probably lack other protection as well.

i would advise you to install CSF/LFD to handle bruteforce attacks, or even better hire an admin to harden your box properly.

[dragon2611]

if you lack bruteforce detection and blocking of them, you probably lack other protection as well.

i would advise you to install CSF/LFD to handle bruteforce attacks, or even better hire an admin to harden your box properly.

Ditto, I also reccomend SSH on a non standard port.

Most of the Bots are too stupid to check the other ports but for those that do LFD should block them.

[melsworld]

Thanks to everyone for their advice I will get SSH port sorted and CSF/LFD installed

Have a good weekend