What is this in /var/log/messages

**foxdevil** · 05-19-2008 01:44 AM

When I open file /etc/log/messages I founded following message, what is this...

==========================================================
May 19 09:26:51 xxx kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=189.141.119.221 DST=xxx.xxx.xxx.xx LEN=48 TOS=0x04 PREC=0xC0 TTL=115 ID=4919 DF PROTO=TCP SPT=4510 DPT=4899 WINDOW=64240 RES=0x00 SYN URGP=0
May 19 09:26:51 xxx kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=189.141.119.221 DST=xxx.xxx.xxx.xx LEN=48 TOS=0x04 PREC=0xC0 TTL=115 ID=4925 DF PROTO=TCP SPT=4515 DPT=4899 WINDOW=64240 RES=0x00 SYN URGP=0
May 19 09:27:20 xxx kernel: ** OUT_TCP DROP ** IN= OUT=eth0 SRC=xxx.xxx.xxx.xx DST=218.104.68.244 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=34387 DF PROTO=TCP SPT=80 DPT=13039 WINDOW=7504 RES=0x00 ACK URGP=0
May 19 09:28:42 xxx kernel: ** OUT_TCP DROP ** IN= OUT=eth0 SRC=xxx.xxx.xxx.xx DST=218.104.68.244 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=34389 DF PROTO=TCP SPT=80 DPT=13039 WINDOW=7504 RES=0x00 ACK URGP=0
May 19 09:28:58 xxx kernel: ** SSH ** IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=122.160.224.58 DST=xxx.xxx.xxx.xx LEN=60 TOS=0x04 PREC=0xC0 TTL=45 ID=27682 DF PROTO=TCP SPT=60654 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
May 19 09:28:58 xxx kernel: ** SSH ** IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=122.160.224.58 DST=xxx.xxx.xxx.xx LEN=60 TOS=0x04 PREC=0xC0 TTL=45 ID=34864 DF PROTO=TCP SPT=2226 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
May 19 09:29:01 xxx kernel: ** SSH ** IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=122.160.224.58 DST=xxx.xxx.xxx.xx LEN=60 TOS=0x04 PREC=0xC0 TTL=45 ID=34865 DF PROTO=TCP SPT=2226 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
=====================================================

Last week my website was hack by Ottoman Empire, hacker change my index.php to direct to other site.

When I can change back, and disabled root to access to ssh, change user name and password to lang more 20 character.

After that I change apf rules and install BFD and blocked some IP in apf.

Yesterday I found some message I don't know what happen, some one can tell me more.

Thanks advance

***
My Server used bellow:

WHM 11.15.0 cPanel 11.18.6-S24255
CENTOS Enterprise 4.6 x86_64 on standard - WHM X v3.1.0
***

**Kailash1** · 05-19-2008 03:37 PM

Looks like the same entry as ip_conntrack file.

It seems that it is showing the connections to your server.

Kailash

**foxdevil** · 05-19-2008 09:41 PM

=========================================
** SSH ** IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=122.160.224.58
=========================================
Some IP show in blacklist from any more web site.
This message possible hacker try to access ssh port?

LinkBack

Thread Tools

What is this in /var/log/messages

...

can you help me analyze the /var/log/messages ?

var/log/messages question

Getting access to /var/log/messages

Strange messages in /var/log/messages

missing /var/log/messages