Server being hacked?

**ThaMATRiX** · 10-07-2004 10:38 PM

Hi. In my LogWatch it shows this...

--------------------- SSHD Begin ------------------------

Failed logins from these:
adm/password from ::ffff:211.248.38.252: 6 Time(s)
admin/password from ::ffff:218.3.161.2: 11 Time(s)
apache/password from ::ffff:211.248.38.252: 3 Time(s)
cosmin/password from ::ffff:211.248.38.252: 3 Time(s)
cyrus/password from ::ffff:211.248.38.252: 7 Time(s)
guest/password from ::ffff:218.3.161.2: 8 Time(s)
horde/password from ::ffff:211.248.38.252: 7 Time(s)
iceuser/password from ::ffff:211.248.38.252: 8 Time(s)
irc/password from ::ffff:211.248.38.252: 6 Time(s)
jane/password from ::ffff:211.248.38.252: 3 Time(s)
matt/password from ::ffff:211.248.38.252: 5 Time(s)
mysql/password from ::ffff:211.248.38.252: 4 Time(s)
nobody/password from ::ffff:211.248.38.252: 9 Time(s)
operator/password from ::ffff:211.248.38.252: 3 Time(s)
pamela/password from ::ffff:211.248.38.252: 3 Time(s)
patrick/password from ::ffff:211.248.38.252: 16 Time(s)
rolo/password from ::ffff:211.248.38.252: 8 Time(s)
root/password from ::ffff:211.248.38.252: 120 Time(s)
root/password from ::ffff:218.3.161.2: 11 Time(s)
test/password from ::ffff:211.248.38.252: 16 Time(s)
test/password from ::ffff:218.3.161.2: 11 Time(s)
user/password from ::ffff:218.3.161.2: 4 Time(s)
www-data/password from ::ffff:211.248.38.252: 4 Time(s)
www/password from ::ffff:211.248.38.252: 7 Time(s)
wwwrun/password from ::ffff:211.248.38.252: 6 Time(s)

Illegal users from these:
admin/none from ::ffff:218.3.161.2: 11 Time(s)
admin/password from ::ffff:218.3.161.2: 11 Time(s)
apache/none from ::ffff:211.248.38.252: 3 Time(s)
apache/password from ::ffff:211.248.38.252: 3 Time(s)
cosmin/none from ::ffff:211.248.38.252: 3 Time(s)
cosmin/password from ::ffff:211.248.38.252: 3 Time(s)
cyrus/none from ::ffff:211.248.38.252: 7 Time(s)
cyrus/password from ::ffff:211.248.38.252: 7 Time(s)
guest/none from ::ffff:218.3.161.2: 8 Time(s)
guest/password from ::ffff:218.3.161.2: 8 Time(s)
horde/none from ::ffff:211.248.38.252: 7 Time(s)
horde/password from ::ffff:211.248.38.252: 7 Time(s)
iceuser/none from ::ffff:211.248.38.252: 8 Time(s)
iceuser/password from ::ffff:211.248.38.252: 8 Time(s)
irc/none from ::ffff:211.248.38.252: 6 Time(s)
irc/password from ::ffff:211.248.38.252: 6 Time(s)
jane/none from ::ffff:211.248.38.252: 3 Time(s)
jane/password from ::ffff:211.248.38.252: 3 Time(s)
matt/none from ::ffff:211.248.38.252: 5 Time(s)
matt/password from ::ffff:211.248.38.252: 5 Time(s)
pamela/none from ::ffff:211.248.38.252: 3 Time(s)
pamela/password from ::ffff:211.248.38.252: 3 Time(s)
rolo/none from ::ffff:211.248.38.252: 8 Time(s)
rolo/password from ::ffff:211.248.38.252: 8 Time(s)
test/none from ::ffff:211.248.38.252: 16 Time(s)
test/none from ::ffff:218.3.161.2: 11 Time(s)
test/password from ::ffff:211.248.38.252: 16 Time(s)
test/password from ::ffff:218.3.161.2: 11 Time(s)
user/none from ::ffff:218.3.161.2: 4 Time(s)
user/password from ::ffff:218.3.161.2: 4 Time(s)
www-data/none from ::ffff:211.248.38.252: 4 Time(s)
www-data/password from ::ffff:211.248.38.252: 4 Time(s)
www/none from ::ffff:211.248.38.252: 7 Time(s)
www/password from ::ffff:211.248.38.252: 7 Time(s)
wwwrun/none from ::ffff:211.248.38.252: 6 Time(s)
wwwrun/password from ::ffff:211.248.38.252: 6 Time(s)

---------------------- SSHD End -------------------------

How can I block those ips from the box completely? Thanks.

**cguimont** · 10-07-2004 11:02 PM

Brute Force Detection( bfd) from rfx networks

**ThaMATRiX** · 10-07-2004 11:14 PM

Sounds good, and its free, but do I need a already in place firewall for it to work with? Or does it handle everything? Thanks.

**SarcNBit** · 10-07-2004 11:17 PM

You need to run APF (available from the same site) in order to run BFD.

**bullethost696** · 10-08-2004 07:32 PM

I would run

PHP Code:


iptables -A INPUT -s 211.248.38.252 -j DROP

just to block the ip from any more attempts then go about with securing your server

**GOT** · 10-08-2004 07:47 PM

BFD has issues with the script that adds teh ffff in front of the IP. Has this been fixed?

**GufyMike** · 10-09-2004 03:36 AM

easier add it to /etc/hosts.deny

211.248.38.252:*

Simpole yet effective.

**ThaMATRiX** · 10-09-2004 09:21 AM

Originally Posted by GotHosting

BFD has issues with the script that adds teh ffff in front of the IP. Has this been fixed?

Yes, has that been fixed?

**dgbaker** · 10-09-2004 10:13 AM

Originally Posted by GufyMike

easier add it to /etc/hosts.deny

211.248.38.252:*

Simpole yet effective.

Easier? Maybe.. Best solution? No.

Why do things manually when they can be automated and taken care of immediately? BFD takes care of the issue as it is happening, not when some sysadmin finds and gets around to it.

**preleaf** · 10-11-2004 12:35 AM

my server is also attacang I try this do :
root@host [~]# iptables -A INPUT -s 70.240.3.138 -j DROP
bash: iptables: command not found

**anup123** · 10-11-2004 01:13 AM

Run following commands from ssh and paste the output.

lsmod
ie Determine the loaded modules

modinfo ip_tables
ie Determine if the iptables kernel module is installed on your system

rpm -q iptables
ie Determine if the iptables user-space package is installed on your system

Anup

**ThaMATRiX** · 10-11-2004 10:48 AM

Originally Posted by anup123

Run following commands from ssh and paste the output.

lsmod
ie Determine the loaded modules

modinfo ip_tables
ie Determine if the iptables kernel module is installed on your system

rpm -q iptables
ie Determine if the iptables user-space package is installed on your system

Anup

root@xeon1 [~]# lsmod
Module Size Used by
ipt_owner 7745 0
ipt_REJECT 8897 0
iptable_filter 6209 1
ip_tables 18497 3 ipt_owner,ipt_REJECT,iptable_filter
md5 7745 1
ipv6 233701 28
tg3 79045 0
sg 33377 0
scsi_mod 102025 1 sg
microcode 10209 0
dm_mod 49477 0
ohci_hcd 22097 0
button 8793 0
battery 11085 0
asus_acpi 13017 0
ac 7373 0
ext3 99497 4
jbd 58457 1 ext3
root@xeon1 [~]#

root@xeon1 [~]# modinfo ip_tables
license: GPL
author: Netfilter Core Team <coreteam@netfilter.org>
description: IPv4 packet filter
vermagic: 2.6.8-1.521smp SMP 686 REGPARM 4KSTACKS gcc-3.3
depends:
root@xeon1 [~]#

root@xeon1 [~]# rpm -q iptables
iptables-1.2.9-2.3.1
root@xeon1 [~]#

**SarcNBit** · 10-11-2004 12:20 PM

Originally Posted by preleaf

my server is also attacang I try this do :
root@host [~]# iptables -A INPUT -s 70.240.3.138 -j DROP
bash: iptables: command not found

What OS are you running?

Try running using the full path to iptables or using 'su -' when su'ing to root.

**anup123** · 10-11-2004 12:48 PM

ThaMATRiX : I think you should be able to use iptables command. check with iptables -L

Actually that was for preleaf who was having error running that command and SarcNBit has already replied to the same. It's either iptables not being in path or not being there at all. SarcNBit suggestion would reveal furter details.

Anup

**ThaMATRiX** · 10-11-2004 02:21 PM

Its Fedora Core 2

LinkBack

Thread Tools

Server being hacked?

my server is hacked

server has been hacked

Server get hacked

my server got hacked?

new server got hacked