hst

Well-Known Member
Feb 24, 2002
111
0
316
Ran /scripts/cpup recently on two servers. One has stopped sending active system attack emails but other alerts still comming through. Any ideas to get this working and to make sure the port monitoring is still working?
 

hst

Well-Known Member
Feb 24, 2002
111
0
316
It stopped on it own

Its stopped sending on its own. I ran etc/rc.d/init.d/portsentry restart and it went fine but still no alerts are coming any more.
 

itf

Well-Known Member
May 9, 2002
624
0
316
one of our servers had this problem Graceful restarting that box solved the problem
 

hst

Well-Known Member
Feb 24, 2002
111
0
316
tried graceful restart but its still not sending

I tried the graceful restart as you suggested but it's still not sending the alerts. I know the email address is right because I'm getting the other messages like cgi scripts installed but not the system attack messages. Im stumped
 

itf

Well-Known Member
May 9, 2002
624
0
316
[quote:47dd99347b][i:47dd99347b]Originally posted by hst[/i:47dd99347b]

I tried the graceful restart as you suggested but it's still not sending the alerts. I know the email address is right because I'm getting the other messages like cgi scripts installed but not the system attack messages. Im stumped[/quote:47dd99347b]
Because you haven't any active system attack, means there is no attack to your system
 

hst

Well-Known Member
Feb 24, 2002
111
0
316
Thats not it

I was getting one meg files about attacks until the apache and cp upgrade and then they stopped. Other servers continue to get the messages.
 

itf

Well-Known Member
May 9, 2002
624
0
316
[quote:d2cd445d59][i:d2cd445d59]Originally posted by hst[/i:d2cd445d59]

I was getting one meg files about attacks until the apache and cp upgrade and then they stopped. Other servers continue to get the messages.[/quote:d2cd445d59]
You are seriously under attack! We usually under attack, but when and exploit is known in server softwares then we are heavily under attack i.e. last know vulnerabilities in Apache 1.3.24

Did you update your Apache to 1.3.26? However there is another known exploit in bind which will be resolved in bind 9.2.2 or 9.3.0

What kinds of attack alerts did you receive?
 

hst

Well-Known Member
Feb 24, 2002
111
0
316
All kinds of attacks but they are blocked

We have hundreds of accounts on our servers so you can imagine we get a bunch of all kinds of attacks. They get shut down by the systems.
 

itf

Well-Known Member
May 9, 2002
624
0
316
[quote:93f373d537][i:93f373d537]Originally posted by hst[/i:93f373d537]

We have hundreds of accounts on our servers so you can imagine we get a bunch of all kinds of attacks. They get shut down by the systems.[/quote:93f373d537]
monitor your servers
 

xnull

Well-Known Member
Sep 9, 2001
156
0
316
Heh, that's nothing.. We were getting 2mb-20mb attack logs by email every day for about 8 months.. They stopped for a while and I'm getting them again every once in a while now (software error? or no attacks?) lol..
 

itf

Well-Known Member
May 9, 2002
624
0
316
[quote:8f856fa3e2][i:8f856fa3e2]Originally posted by xnull[/i:8f856fa3e2]

Heh, that's nothing.. We were getting 2mb-20mb attack logs by email every day for about 8 months.. They stopped for a while and I'm getting them again every once in a while now (software error? or no attacks?) lol..[/quote:8f856fa3e2]
it seems that you are new to hackers I wrote it in this thread about what they want to do

http://forums.cpanel.net/read.php?TID=3523


RPC information located at Port 111 is a place to find out where services are running. Numerous vulnerabilities exist, along with exploits ready and waiting for services such as rpcbind and rpcmountd. Network File Service (NFS) has a known rpc-update exploit, the Network Information Service (NIS) update daemon rpc.ypupdated contains vulnerabilities in how it passes commands to certain function calls. This could allow a remote attacker to trick the service into executing arbitrary commands on the system with root privileges. Additionally, client server environments that use remote program calls and port 111 to register and make themselves available, are unfortunately also listing their availability to the less-than nice people who are trying to crack your system. For the unprotected systems that have portmapper running on port 111, a simple &rpcinfo& request is adequate for the potential exploiter to obtain a list of all services running.

Also bind 9.2.1 has vulnerability now that will be resolved in the next version 9.2.2 or 9.30

There are some of these exploits that hackers try to get into your system
 

AlaskanWolf

Well-Known Member
Aug 11, 2001
537
0
316
Fremont CA
sorry to bring this thread from the dead, but it seems no one really answered why the monitoring stopped, likewise on our systems, it seems the emails stopped over time, nothing has really changed over the months instead of the usual cpanel updates etc...