The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server trying to ssh into itself

Discussion in 'Security' started by Homie2, Jul 2, 2014.

  1. Homie2

    Homie2 Well-Known Member

    Joined:
    Dec 16, 2004
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    I am confused. I installed csf I have a good amount of people trying to brute force into my ssh but csf firewall is blocking them but 1 problem ... Why would my own server try to login to itself and fail. Has my server been hacked ?

    Jul 2 21:15:18 oc lfd[25905]: Failed SSH login from 209.159.152.202 - ignored

    That ip is my server ip lol like wtf ? I'm tripping out. Any help please ? It would be appreciated if anyone could help
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    That's not normal AFAIK.

    I'd look for any suspicious PHP scripts running, or any recently uploaded/modified. Some scripts used on hacked websites try to brute-force the local host since the firewall won't block the servers own IP for failed logins.

    If you get lucky and catch it ongoing, lsof -i :22 (or your SSH port) may help you find a PID to investigate.
     
  3. Homie2

    Homie2 Well-Known Member

    Joined:
    Dec 16, 2004
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    sshd 1466 root 3u IPv4 10323 0t0 TCP *:ssh (LISTEN)
    sshd 1466 root 4u IPv6 10325 0t0 TCP *:ssh (LISTEN)
    sshd 9830 root 3r IPv4 317444 0t0 TCP oc.theochost.com:ssh->ip68-23.oc.onet:50589

    ip 68.23 is my ip... so am i hacked?
     
  4. Homie2

    Homie2 Well-Known Member

    Joined:
    Dec 16, 2004
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    Code:
    Jun 30 03:10:27 oc sshd[4520]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Jun 30 03:16:16 oc sshd[1458]: Received signal 15; terminating.
    Jun 30 03:16:17 oc sshd[4520]: Exiting on signal 15
    Jun 30 03:16:17 oc sshd[4520]: pam_unix(sshd:session): session closed for user root
    Jun 30 03:17:57 oc sshd[7085]: Server listening on 0.0.0.0 port 22.
    Jun 30 03:17:57 oc sshd[7085]: Server listening on :: port 22.
    Jun 30 03:19:30 oc sshd[7779]: Accepted password for root from 68.231.221.157 port 61700 ssh2
    Jun 30 03:19:30 oc sshd[7779]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Jun 30 03:27:33 oc sshd[7085]: Received signal 15; terminating.
    Jun 30 03:27:33 oc sshd[7779]: Exiting on signal 15
    Jun 30 03:27:33 oc sshd[7779]: pam_unix(sshd:session): session closed for user root
    Jun 30 03:28:39 oc sshd[1461]: Server listening on 0.0.0.0 port 22.
    Jun 30 03:28:39 oc sshd[1461]: Server listening on :: port 22.
    Jun 30 03:30:26 oc sshd[2155]: refused connect from 91.208.16.232 (91.208.16.232)
    Jun 30 05:30:00 oc atd[8992]: pam_unix(atd:session): session opened for user root by (uid=0)
    Jun 30 05:30:52 oc atd[8992]: pam_unix(atd:session): session closed for user root
    Jun 30 07:00:18 oc sshd[12028]: refused connect from 92.114.191.15 (92.114.191.15)
    Jun 30 07:00:18 oc sshd[12029]: refused connect from 92.114.191.15 (92.114.191.15)
    Jun 30 07:00:18 oc sshd[12030]: refused connect from 92.114.191.15 (92.114.191.15)
    Jun 30 07:00:18 oc sshd[12031]: refused connect from 92.114.191.15 (92.114.191.15)
    Jun 30 07:00:18 oc sshd[12032]: refused connect from 92.114.191.15 (92.114.191.15)
    Jun 30 10:01:31 oc sshd[17780]: refused connect from 1.93.27.10 (1.93.27.10)
    Jun 30 10:01:42 oc sshd[17781]: refused connect from 1.93.27.10 (1.93.27.10)
    Jun 30 16:32:35 oc sshd[25284]: refused connect from 91.208.16.232 (91.208.16.232)
    Jun 30 17:50:09 oc sshd[26741]: refused connect from 91.208.16.232 (91.208.16.232)
    Jun 30 20:11:37 oc sshd[29445]: refused connect from 198.74.116.2 (198.74.116.2)
    Jun 30 20:11:38 oc sshd[29447]: refused connect from 198.74.116.2 (198.74.116.2)
    Jun 30 20:11:39 oc sshd[29450]: refused connect from 198.74.116.2 (198.74.116.2)
    Jun 30 20:11:39 oc sshd[29451]: refused connect from 198.74.116.2 (198.74.116.2)
    Jun 30 20:11:40 oc sshd[29453]: refused connect from 198.74.116.2 (198.74.116.2)
    Jun 30 21:03:26 oc sshd[31224]: refused connect from 180.179.212.222 (180.179.212.222)
    Jun 30 21:03:26 oc sshd[31225]: refused connect from 180.179.212.222 (180.179.212.222)
    Jun 30 21:03:26 oc sshd[31226]: refused connect from 180.179.212.222 (180.179.212.222)
    Jun 30 21:03:26 oc sshd[31227]: refused connect from 180.179.212.222 (180.179.212.222)
    Jun 30 21:03:26 oc sshd[31228]: refused connect from 180.179.212.222 (180.179.212.222)
    Jun 30 22:51:01 oc sshd[2325]: refused connect from 91.208.16.232 (91.208.16.232)
    Jul  1 00:21:31 oc sshd[4515]: refused connect from 112.78.11.159 (112.78.11.159)
    Jul  1 00:21:31 oc sshd[4516]: refused connect from 112.78.11.159 (112.78.11.159)
    Jul  1 00:21:31 oc sshd[4517]: refused connect from 112.78.11.159 (112.78.11.159)
    Jul  1 00:21:31 oc sshd[4518]: refused connect from 112.78.11.159 (112.78.11.159)
    Jul  1 00:21:31 oc sshd[4519]: refused connect from 112.78.11.159 (112.78.11.159)
    Jul  1 00:45:52 oc sshd[5013]: refused connect from 88.54.56.220 (88.54.56.220)
    Jul  1 00:45:52 oc sshd[5015]: refused connect from 88.54.56.220 (88.54.56.220)
    Jul  1 00:45:52 oc sshd[5014]: refused connect from 88.54.56.220 (88.54.56.220)
    Jul  1 00:45:52 oc sshd[5016]: refused connect from 88.54.56.220 (88.54.56.220)
    Jul  1 00:45:53 oc sshd[5017]: refused connect from 88.54.56.220 (88.54.56.220)
    Jul  1 03:46:10 oc sshd[9108]: refused connect from 64.20.227.133 (64.20.227.133)
    Jul  1 05:14:31 oc sshd[12189]: refused connect from 141.105.68.102 (141.105.68.102)
    Jul  1 05:14:31 oc sshd[12190]: refused connect from 141.105.68.102 (141.105.68.102)
    Jul  1 05:14:32 oc sshd[12191]: refused connect from 141.105.68.102 (141.105.68.102)
    Jul  1 05:36:00 oc atd[16889]: pam_unix(atd:session): session opened for user root by (uid=0)
    Jul  1 05:38:26 oc atd[16889]: pam_unix(atd:session): session closed for user root
    Jul  1 06:02:45 oc sshd[1461]: Received signal 15; terminating.
    Jul  1 06:03:54 oc sshd[1466]: Server listening on 0.0.0.0 port 22.
    Jul  1 06:03:54 oc sshd[1466]: Server listening on :: port 22.
    Jul  1 09:14:30 oc sshd[7570]: refused connect from 1.93.26.26 (1.93.26.26)
    Jul  1 09:14:50 oc sshd[7579]: refused connect from 1.93.26.26 (1.93.26.26)
    Jul  1 10:16:16 oc sshd[9542]: refused connect from 113.171.10.39 (113.171.10.39)
    Jul  1 10:16:16 oc sshd[9543]: refused connect from 113.171.10.39 (113.171.10.39)
    Jul  1 10:16:17 oc sshd[9544]: refused connect from 113.171.10.39 (113.171.10.39)
    Jul  1 10:16:17 oc sshd[9545]: refused connect from 113.171.10.39 (113.171.10.39)
    Jul  1 10:16:17 oc sshd[9546]: refused connect from 113.171.10.39 (113.171.10.39)
    Jul  1 17:13:47 oc sshd[17577]: refused connect from 1.93.37.212 (1.93.37.212)
    Jul  1 17:15:58 oc sshd[17643]: refused connect from 1.93.37.212 (1.93.37.212)
    Jul  1 19:10:52 oc sshd[19577]: refused connect from 71.6.167.142 (71.6.167.142)
    Jul  1 19:10:57 oc sshd[19578]: refused connect from 71.6.167.142 (71.6.167.142)
    Jul  1 19:11:01 oc sshd[19579]: refused connect from 71.6.167.142 (71.6.167.142)
    Jul  1 22:13:51 oc sshd[23456]: refused connect from 209.159.152.202 (209.159.152.202)
    Jul  2 01:33:31 oc sshd[27453]: refused connect from 61.174.51.219 (61.174.51.219)
    Jul  2 01:33:44 oc sshd[27456]: refused connect from 61.174.51.219 (61.174.51.219)
    Jul  2 01:34:26 oc sshd[27467]: refused connect from 61.174.51.219 (61.174.51.219)
    Jul  2 03:48:45 oc sshd[30339]: refused connect from 192.99.200.88 (192.99.200.88)
    Jul  2 06:04:21 oc atd[3710]: pam_unix(atd:session): session opened for user root by (uid=0)
    Jul  2 06:05:01 oc atd[3710]: pam_unix(atd:session): session closed for user root
    Jul  2 07:08:31 oc sshd[5973]: refused connect from 71.6.165.200 (71.6.165.200)
    Jul  2 08:34:11 oc sshd[8975]: refused connect from 189.168.43.148 (189.168.43.148)
    Jul  2 09:23:03 oc sshd[10588]: refused connect from 71.6.165.200 (71.6.165.200)
    Jul  2 09:23:05 oc sshd[10590]: refused connect from 71.6.165.200 (71.6.165.200)
    Jul  2 09:23:11 oc sshd[10592]: refused connect from 71.6.165.200 (71.6.165.200)
    Jul  2 14:48:36 oc sshd[22153]: refused connect from 209.159.152.202 (209.159.152.202)
    Jul  2 16:41:04 oc sshd[26055]: refused connect from 113.171.10.20 (113.171.10.20)
    Jul  2 16:41:04 oc sshd[26056]: refused connect from 113.171.10.20 (113.171.10.20)
    Jul  2 16:41:05 oc sshd[26057]: refused connect from 113.171.10.20 (113.171.10.20)
    Jul  2 16:41:05 oc sshd[26058]: refused connect from 113.171.10.20 (113.171.10.20)
    Jul  2 16:41:06 oc sshd[26061]: refused connect from 113.171.10.20 (113.171.10.20)
    Jul  2 16:55:42 oc sshd[26296]: refused connect from 209.159.152.202 (209.159.152.202)
    Jul  2 17:50:19 oc sshd[27220]: refused connect from 1.93.26.149 (1.93.26.149)
    Jul  2 17:50:27 oc sshd[27223]: refused connect from 1.93.26.149 (1.93.26.149)
    Jul  2 19:59:47 oc sshd[31044]: refused connect from 192.99.200.88 (192.99.200.88)
    Jul  2 21:04:23 oc sshd[738]: refused connect from 198.71.58.200 (198.71.58.200)
    Jul  2 21:04:23 oc sshd[739]: refused connect from 198.71.58.200 (198.71.58.200)
    Jul  2 21:04:23 oc sshd[740]: refused connect from 198.71.58.200 (198.71.58.200)
    Jul  2 21:04:23 oc sshd[741]: refused connect from 198.71.58.200 (198.71.58.200)
    Jul  2 21:04:23 oc sshd[742]: refused connect from 198.71.58.200 (198.71.58.200)
    Jul  2 21:15:16 oc sshd[1116]: refused connect from 209.159.152.202 (209.159.152.202)
    Jul  2 22:55:14 oc sshd[3270]: refused connect from 1.93.34.228 (1.93.34.228)
    Jul  2 22:55:19 oc sshd[3272]: refused connect from 1.93.34.228 (1.93.34.228)
    Jul  2 22:55:24 oc sshd[3280]: refused connect from 1.93.34.228 (1.93.34.228)
    Jul  2 22:56:02 oc sshd[3312]: refused connect from 58.1.224.66 (58.1.224.66)
    Jul  2 22:56:02 oc sshd[3313]: refused connect from 58.1.224.66 (58.1.224.66)
    Jul  2 22:56:05 oc sshd[3314]: refused connect from 58.1.224.66 (58.1.224.66)
    Jul  2 23:36:08 oc sshd[4136]: refused connect from 107.150.39.93 (107.150.39.93)
    Jul  2 23:36:08 oc sshd[4137]: refused connect from 107.150.39.93 (107.150.39.93)
    Jul  2 23:36:08 oc sshd[4139]: refused connect from 107.150.39.93 (107.150.39.93)
    Jul  2 23:36:08 oc sshd[4138]: refused connect from 107.150.39.93 (107.150.39.93)
    Jul  2 23:36:08 oc sshd[4140]: refused connect from 107.150.39.93 (107.150.39.93)
    Jul  3 00:11:30 oc sshd[4834]: refused connect from 209.159.152.202 (209.159.152.202)
    Jul  3 00:18:18 oc sshd[4941]: refused connect from 82.221.105.6 (82.221.105.6)
    Jul  3 04:05:06 oc sshd[9830]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.231.221.157  user=root
    Jul  3 04:05:08 oc sshd[9830]: Failed password for root from 68.231.221.157 port 50589 ssh2
    Jul  3 04:05:14 oc sshd[9830]: Accepted password for root from 68.231.221.157 port 50589 ssh2
    Jul  3 04:05:14 oc sshd[9830]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Jul  3 04:17:22 oc groupadd[10292]: group added to /etc/group: name=rtkit, GID=494
    Jul  3 04:17:22 oc groupadd[10292]: group added to /etc/gshadow: name=rtkit
    Jul  3 04:17:22 oc groupadd[10292]: new group: name=rtkit, GID=494
    Jul  3 04:17:22 oc useradd[10297]: new user: name=rtkit, UID=495, GID=494, home=/proc, shell=/sbin/nologin
    Jul  3 04:30:24 oc sshd[9830]: pam_unix(sshd:session): session closed for user root
    Jul  3 04:30:37 oc sshd[12282]: Accepted password for root from 68.231.221.157 port 52529 ssh2
    Jul  3 04:30:37 oc sshd[12282]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Jul  3 04:33:53 oc sshd[12282]: pam_unix(sshd:session): session closed for user root
    Jul  3 04:33:59 oc sshd[12437]: Accepted password for root from 68.231.221.157 port 52701 ssh2
    Jul  3 04:33:59 oc sshd[12437]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Jul  3 04:34:01 oc sshd[12437]: subsystem request for sftp
    Jul  3 04:41:13 oc sshd[12437]: subsystem request for sftp
    Jul  3 05:43:41 oc sshd[12437]: pam_unix(sshd:session): session closed for user root
    Jul  3 06:05:02 oc atd[24557]: pam_unix(atd:session): session opened for user root by (uid=0)
    Jul  3 06:05:43 oc atd[24557]: pam_unix(atd:session): session closed for user root
    Jul  3 06:29:20 oc sshd[25054]: Accepted password for root from 68.231.221.157 port 59814 ssh2
    Jul  3 06:29:20 oc sshd[25054]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Jul  3 06:29:21 oc sshd[25054]: subsystem request for sftp
    
    the only approved root access it shows is from me... but it say listening on .0.0.0.0.0.??? is that my server ip maybe shpwing up as my server ip getting denied?

    - - - Updated - - -

    whats this in my ssh log?

    Jul 1 05:36:00 oc atd[16889]: pam_unix(atd:session): session opened for user root by (uid=0)
    Jul 1 05:38:26 oc atd[16889]: pam_unix(atd:session): session closed for user root

    why is my own server IP in the log ?

    Jul 1 22:13:51 oc sshd[23456]: refused connect from 209.159.152.202 (209.159.152.202)
     
    #4 Homie2, Jul 3, 2014
    Last edited: Jul 3, 2014
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Have you checked to see if you have any third-party applications or plugins installed that utilize root access? It could be something that's setup as a cron job.

    Note: Please ensure you use the "CODE" tags when pasting a large output of data. I've completed this for you on your previous post.

    Thank you.
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    This is normal, it's just showing the connection that you're currently using. If you saw another connection from the server to itself then that would be what you want to investigate.

    "listening on 0.0.0.0" just means that SSH listens on every IP assigned to the server. This is also normal.

    I would start by using ClamAV and/or Maldet to scan your public_html directories for any PHP shell scripts.
     
  7. Homie2

    Homie2 Well-Known Member

    Joined:
    Dec 16, 2004
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    Hmm since I ran root kit and clam av. I'm not getting my server trying to login to ssh anymore. It found tons of Trojans and malware in my email. Clam av


    But those viruses don't effect Linux only windows ?

    Thanks
     
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Yeah typically you can ignore clamAV hits in mail directories, it only really matters in most cases if the hits are in public_html.
     
Loading...

Share This Page