The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

can someone explain what is this

Discussion in 'Data Protection' started by bengji, May 14, 2006.

  1. bengji

    bengji Registered

    Joined:
    Apr 20, 2004
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    im getting this in my email evryday on the logwach is someone try to hack my server how can prevent this attack... thax,,

    evryday email:


    ################### LogWatch 4.3.2 (02/18/03) ####################
    Processing Initiated: Sun May 14 04:02:04 2006
    Date Range Processed: yesterday
    Detail Level of Output: 0
    Logfiles for Host: *********.com
    ################################################################

    --------------------- Named Begin ------------------------

    **Unmatched Entries**
    client 216.47.160.12 error sending response: host unreachable: 1
    Time(s)
    client 64.15.129.77 error sending response: host unreachable: 1
    Time(s)

    ---------------------- Named End -------------------------


    --------------------- pam_unix Begin ------------------------

    sshd:
    Invalid Users:
    Unknown Account: 627 Time(s)
    Authentication Failures:
    ftp (backbone.oops.net.br ): 3 Time(s)
    mail (crops.spectrumanalytic.com ): 1 Time(s)
    adm (backbone.oops.net.br ): 3 Time(s)
    games (backbone.oops.net.br ): 3 Time(s)
    unknown (backbone.oops.net.br ): 279 Time(s)
    unknown (221.158.91.46 ): 35 Time(s)
    rpm (backbone.oops.net.br ): 2 Time(s)
    news (backbone.oops.net.br ): 3 Time(s)
    mysql (backbone.oops.net.br ): 5 Time(s)
    mysql (221.158.91.46 ): 2 Time(s)
    unknown (202.152.39.28 ): 7 Time(s)
    operator (backbone.oops.net.br ): 2 Time(s)
    mail (backbone.oops.net.br ): 3 Time(s)
    unknown (211.221.246.22 ): 228 Time(s)
    sshd (backbone.oops.net.br ): 2 Time(s)
    ident (backbone.oops.net.br ): 3 Time(s)
    nobody (backbone.oops.net.br ): 3 Time(s)
    mysql (crops.spectrumanalytic.com ): 1 Time(s)
    unknown (crops.spectrumanalytic.com ): 78 Time(s)


    ---------------------- pam_unix End -------------------------


    --------------------- Connections (secure-log) Begin
    ------------------------


    **Unmatched Entries**
    userhelper[21031]: pam_timestamp: updated timestamp file
    `/var/run/sudo/root/unknown'
    userhelper[21034]: running '/usr/sbin/up2date --nox -u' with root
    privileges on behalf of 'root'

    ---------------------- Connections (secure-log) End
    -------------------------


    --------------------- SSHD Begin ------------------------


    Failed logins from these:
    Aaliyah/password from 201.54.174.254: 2 Time(s)
    Aaron/password from 201.54.174.254: 2 Time(s)
    Aba/password from 201.54.174.254: 2 Time(s)
    Abel/password from 201.54.174.254: 2 Time(s)
    Exit/password from 201.54.174.254: 1 Time(s)
    Ionut/password from 201.54.174.254: 2 Time(s)
    Jewel/password from 201.54.174.254: 2 Time(s)
    Zmeu/password from 201.54.174.254: 2 Time(s)
    adam/password from 201.54.174.254: 3 Time(s)
    add/password from 201.54.174.254: 2 Time(s)
    adine/password from 202.152.39.28: 1 Time(s)
    adine/password from 216.29.108.68: 1 Time(s)
    adm/password from 201.54.174.254: 3 Time(s)
    admin/password from 201.54.174.254: 21 Time(s)
    admin/password from 202.152.39.28: 1 Time(s)
    admin/password from 216.29.108.68: 1 Time(s)
    admin/password from 221.158.91.46: 4 Time(s)
    admin1/password from 211.221.246.22: 33 Time(s)
    administrator/password from 202.152.39.28: 1 Time(s)
    administrator/password from 216.29.108.68: 1 Time(s)
    admins/password from 201.54.174.254: 4 Time(s)
    adrian/password from 201.54.174.254: 2 Time(s)
    adrian/password from 221.158.91.46: 2 Time(s)
    ahmed/password from 216.29.108.68: 1 Time(s)
    alan/password from 201.54.174.254: 3 Time(s)
    alan/password from 216.29.108.68: 1 Time(s)
    alan/password from 221.158.91.46: 2 Time(s)
    albert/password from 216.29.108.68: 1 Time(s)
    alberto/password from 216.29.108.68: 1 Time(s)
    alex/password from 201.54.174.254: 3 Time(s)
    alex/password from 216.29.108.68: 1 Time(s)
    alfred/password from 216.29.108.68: 1 Time(s)
    ali/password from 216.29.108.68: 1 Time(s)
    alice/password from 216.29.108.68: 1 Time(s)
    alicia/password from 221.158.91.46: 1 Time(s)
    alina/password from 201.54.174.254: 1 Time(s)
    allan/password from 216.29.108.68: 1 Time(s)
    amanda/password from 201.54.174.254: 2 Time(s)
    Illegal user administrator from 202.152.39.28
    Illegal user jack from 202.152.39.28
    Illegal user marvin from 202.152.39.28
    Illegal user andres from 202.152.39.28
    Illegal user barbara from 202.152.39.28
    Illegal user adine from 202.152.39.28

    ---------------------- SSHD End -------------------------



    ------------------ Disk Space --------------------

    Filesystem Size Used Avail Use% Mounted on
    /dev/hda3 75G 18G 53G 26% /
    /dev/hda1 99M 15M 79M 16% /boot
    none 497M 0 497M 0% /dev/shm
    /usr/tmpDSK 485M 9.2M 451M 3% /tmp
    /tmp 485M 9.2M 451M 3% /var/tmp


    ###################### LogWatch End #########################
     
  2. Lyttek

    Lyttek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    770
    Likes Received:
    3
    Trophy Points:
    18
    aside from disabling SSH, which you don't really want to do, is to change the port number from 22 to something else. This won't prevent the attacks, but make it less likely they'll find the right port.

    It is, unfortunately, a normal occurance.
     
  3. bengji

    bengji Registered

    Joined:
    Apr 20, 2004
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    thnx lyttek

    i have another problem now.. i changed the port 12345 but b4 i did that i forgot to enable that port on the apf firewall now im locked out of ssh..

    do u know how can i get to ssh is ther anyway i can disable or change the port through whm... i dont know wat to do... :confused:
     
  4. avijit

    avijit Well-Known Member

    Joined:
    Jul 26, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    Contact the NOC support so that they can either add the port to your firewall or can change the sshd back to the regular one. Unless they do that for you locally, none can ssh into the server.

    As far as preventing the bruteforcing goes, you need to install APF/BFD and tweak them as per the rule you want.
     
  5. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator

    :D Well at least the potential hacker is locked out as well :D
    (Hope you get that fixed)

    I have BFD installed and it works well, but after changing our port number we have only had 1 attempt in the last year. We left BFD running "just in case" but is has not had much work.

    For future reference you could see Chirpy and get the File Manager/Console ($15) and if you had it installed you could have editted the ssh conf file or the apf file via WHM and unlocked yourself. A thought for a backup plan for "next time".

    Good luck
     
Loading...

Share This Page