The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Seems to be an attack

Discussion in 'Security' started by mohd_007, Mar 1, 2012.

  1. mohd_007

    mohd_007 Well-Known Member

    Joined:
    Sep 22, 2007
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    My server continously pops up this message, some time it's quite frustating as i can't type any command .. can you please let me know what are those error message.


    Message from syslogd@hostname at Mar 1 23:47:42 ...
    kernel:nf_ct_ftp: dropping packetIN= OUT=eth0 SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=53 TOS=0x10 PREC=0x00 TTL=64 ID=22263 DF PROTO=TCP SPT=21 DPT=49220 SEQ=421574250 ACK=2359927543 WINDOW=115 RES=0x00 ACK PSH FIN URGP=0



    In addition to this, I can see this.


    247 TIME_WAIT
    17 SYN_RECV
    1 LISTEN
    1 LAST_ACK
    19 FIN_WAIT2
    8 FIN_WAIT1
    30 ESTABLISHED
    2 CLOSING
    2 CLOSE_WAIT


    Earlier TIME_WAIT was 300+ I blocked some IP's and it came down. Any ideas?
     
  2. hoststop

    hoststop Well-Known Member

    Joined:
    Dec 6, 2011
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Bolton, UK
    cPanel Access Level:
    Root Administrator
    Hi Mohammad. Not an attack from my eyes. Just firewall (if csf) needs tweaking on the server. Configure CT_STATES, CT_LIMIT & CT_INTERVAL as per your needs. If you are unsure how to do it, contact your web host.
     
  3. Xavior82

    Xavior82 Active Member
    PartnerNOC

    Joined:
    Oct 5, 2006
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Montreal
    Oddly enough, I am having the same issue. We turned off the CSF firewall and yet the messages keep streaming at the command prompt.
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    CSF doesn't log to the command prompt for syslogd. Someone has configured the system to have those details spewing out to the command prompt. Who else handles your server? Someone set it up to do that. You'll need to have them remove it.
     
  5. mohd_007

    mohd_007 Well-Known Member

    Joined:
    Sep 22, 2007
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    Any ideas how to remove it?
     
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    No, I don't know how they added it. Whoever you have administering your machine likely did it or your provider did. You should contact them. It doesn't have to do with anything cPanel configured.
     
  7. nospa

    nospa Well-Known Member

    Joined:
    Apr 23, 2012
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Reseller Owner
    This is related to csf, we see this on our servers also, while no changes were made from default CentOS 6 config
     
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I've never seen CSF logging to the command prompt. It could log to /var/log/messages, but it shouldn't be logging to the command prompt. If it is, someone set it to do so.

    I just setup CSF latest on a CentOS 6.2 machine, and it isn't logging to my command prompt. It does have this in my configuration:

    If someone has syslog going to the command prompt rather than writing to /var/log/messages, I could see this happening. No-one should ever do that, though.

    If you believe CSF is doing it, they do have a support forum at this location:

    CSF Forum
     
  9. nospa

    nospa Well-Known Member

    Joined:
    Apr 23, 2012
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Reseller Owner
    Only such packets are written to screen:

    kernel:nf_ct_ftp

    All other stuff is logged into /var/log/messages.

    This is odd, but it happens only with busy ftp connections, when some packets are lost.
     
  10. Lahcen

    Lahcen Registered

    Joined:
    Jun 28, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I could finally get rid of these intrusive messages that made my operations in SSH unbearable. However it is only a patch that sends these lines in a log file and do not resolve.

    Although these lines are stamped and kernel errors are from a FTP problem, these are lines syslogd level emerg. I documented this level of error and these are critical errors announcing a serious problem on the server ...

    Fail2ban does not detect serious problems at that level but I think I will add a filter on this emerg log and block those IP addresses of destinations.

    This is actually my FTP server which goes to whois servers with a strange. This is either a website of one of my hosted FTP requests that launches on servers or they are unwanted servers unwanted requests a connection ACTIVE mode and that is my server following the orders 'connecting these servers.

    Here's what I had to change (in / etc / syslog.conf):
    *. Emerg -/var/log/emerg

    This is the moment for which half solved.
     
  11. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Just wanted to add a "me too" to this thread. I have the exact same problem. For some reason, these FTP alerts are classified as "kernel" and the rsyslog.conf is configured to send emergency messages to "everyone", which includes console (kernel messages are considered 'emergency' it seems)

    The default /etc/rsyslog.conf has:

    Lahcen's solution, to change the above to "/var/log/emerg" isn't a great solution, because now ALL EMERGENCY MESSAGES will no longer be broadcast to the console. We don't want FTP firewall alerts being classified as "emergency" but I'm not sure how to do this. I've read up on the rsyslog docs and it isn't making much sense to me.

    Low priority issue for us, but thought I'd add what I know so far, and maybe come back to this with a solution some day.

    - Scott
     
  12. gongpro

    gongpro Member

    Joined:
    Jul 6, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I ran into this too. Odd thing is I can get this issue to appear when access my server with Textastic on iPhone, but not from Filezilla, NetBeans or Dreamweaver on my computer. Rarely use Textastic so don't know if this is a new issue or if it has always been there. Restart CSF gets it out of it's loop, but could there be a problem with CSF and some ftp clients that could trigger this?

    /var/log/messages if I read it right, looks like localhost ftp login and then logout every time it posted the message in shell during the loop.
     
Loading...

Share This Page