Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security run output - question

Discussion in 'Security' started by Cystrix, Feb 24, 2005.

  1. Cystrix

    Cystrix Member

    Sep 11, 2003
    Likes Received:
    Trophy Points:
    Not sure where to post this, but it is to do with WHM!

    Recently we have been getting a load of failed login attempts in the security run email, but today i noticed that not only are they failing for root,toor,mysql,www,operator,daemon,smmsp but there are account usernames as well!

    They come from differnet ips and on differnet ports.

    Does this mean that someone has got into our server, or is there any other way to get the account names?

    ### Extract from security run output ###
    Feb 24 10:06:21 vulcan sshd[49190]: Failed password for mysql from port 34671 ssh2
    Feb 24 10:06:26 vulcan sshd[49213]: Failed password for mysql from port 35354 ssh2
    Feb 24 10:06:26 vulcan sshd[49217]: Failed password for mysql from port 35399 ssh2
    Feb 24 10:06:57 vulcan sshd[49428]: Failed password for mysql from port 40308 ssh2
    Feb 24 10:09:40 vulcan sshd[50578]: Failed password for toor from port 38269 ssh2
    Feb 24 10:09:52 vulcan sshd[50668]: Failed password for toor from port 41041 ssh2
    Feb 24 10:09:59 vulcan sshd[50721]: Failed password for toor from port 42337 ssh2
    Feb 24 10:10:32 vulcan sshd[50977]: Failed password for toor from port 49421 ssh2
  2. mctDarren

    mctDarren Well-Known Member

    Jan 6, 2004
    Likes Received:
    Trophy Points:
    New Jersey
    cPanel Access Level:
    Root Administrator
    It means someone is scanning your server and trying ways to get in. Look for an intrusion detection system like Snort or Brute Force Detector and install it. Make sure you have a good firewall running. Try adding offending IP addresses to your iptables using the following command:
    iptables -I INPUT -s -j DROP
    This will make your server drop all connections from the IP and stop the scans/attacks. But get used to seeing those messages. They are a regular part of server administration, and becoming more and more (and MORE) frequent. GL! :)

Share This Page