Oct 16, 2010
12
0
51
Thanks. I found when the id was created in the secure log, but didn't see anything unusual in bash history. Also, the server has hung a couple of time over the past couple of days which required a re-boot. I see many failed login attempts (sample below). Could this be a DOS attack?


Aug 4 07:46:21 server1 sshd[5096]: input_userauth_request: invalid user collins
Aug 4 07:46:22 server1 sshd[5096]: Received disconnect from 62.42.240.249: 11: Bye Bye
Aug 4 07:46:23 server1 sshd[5110]: Invalid user collins from 62.42.240.249
Aug 4 07:46:23 server1 sshd[5111]: input_userauth_request: invalid user collins
Aug 4 07:46:23 server1 sshd[5111]: Received disconnect from 62.42.240.249: 11: Bye Bye
Aug 4 07:46:24 server1 sshd[5116]: Invalid user collins from 62.42.240.249
Aug 4 07:46:24 server1 sshd[5117]: input_userauth_request: invalid user collins
Aug 4 07:46:24 server1 sshd[5117]: Received disconnect from 62.42.240.249: 11: Bye Bye
Aug 4 07:46:25 server1 sshd[5132]: Invalid user com from 62.42.240.249
Aug 4 07:46:25 server1 sshd[5133]: input_userauth_request: invalid user com
Aug 4 07:46:25 server1 sshd[5133]: Received disconnect from 62.42.240.249: 11: Bye Bye
Aug 4 07:46:27 server1 sshd[5138]: Invalid user com from 62.42.240.249
Aug 4 07:46:27 server1 sshd[5141]: input_userauth_request: invalid user com
Aug 4 07:46:27 server1 sshd[5141]: Received disconnect from 62.42.240.249: 11: Bye Bye
Aug 4 07:46:28 server1 sshd[5144]: Invalid user com from 62.42.240.249
Aug 4 07:46:28 server1 sshd[5147]: input_userauth_request: invalid user com
Aug 4 07:46:28 server1 sshd[5147]: Received disconnect from 62.42.240.249: 11: Bye Bye
Aug 4 07:46:43 server1 sshd[5236]: Invalid user commando from 62.42.240.249
Aug 4 07:46:43 server1 sshd[5252]: input_userauth_request: invalid user commando
Aug 4 0
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
41
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
Re: [hackcheck] http has a uid 0 account

So a DoS attack on sshd? I've never heard of a DoS attack on sshd before, since it's usually more beneficial to DoS Apache instead. Those login attempts are all sshd ones.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
41
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
Re: [hackcheck] http has a uid 0 account

Would you like me to move this to another thread that is on troubleshooting how to figure out administering a machine? The original thread is about security issues for a hackcheck script, so it would be easier to fork this into a new thread.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
41
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
I would suggest installing this script to grab details each minute on the running processes and other details that would be helpful when it hangs again:

Code:
cd /root
wget http://sys-snap.techfiles.us/
chmod +x sys-snap.sh
nohup /root/sys-snap.sh &
At that point, you should then have files in /root/system-snapshot/ folder for each minute logging the details. When the server hangs again, simply review the details to see what is happening. You might also check sar information on the machine to see the recent activity for CPU, user, nice, system, iowait, steal and idle usage on the system.
 
Oct 16, 2010
12
0
51
Thanks, I installed the script. Is it resource intensive? Should I keep it running indefinitely? Also, where do I check sar information?
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
41
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
Hi,

A resource intensive script wouldn't be suggested to use on a server with high loads or hanging, since that would only exacerbate the issue, so the script is not resource intensive. It grabs quick details for a few seconds every minute.

It won't keep running indefinitely as the command you start it with will not be running when the server is rebooted or crashes.

The "sar" command is the one used in root SSH to get the sar information. It's similar to when someone says to check top and they mean to issue the command "top"

Thanks!