Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

What is this in /var/log/messages

Discussion in 'General Discussion' started by foxdevil, May 19, 2008.

  1. foxdevil

    foxdevil Member

    Joined:
    May 15, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    51
    When I open file /etc/log/messages I founded following message, what is this...

    ==========================================================
    May 19 09:26:51 xxx kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=189.141.119.221 DST=xxx.xxx.xxx.xx LEN=48 TOS=0x04 PREC=0xC0 TTL=115 ID=4919 DF PROTO=TCP SPT=4510 DPT=4899 WINDOW=64240 RES=0x00 SYN URGP=0
    May 19 09:26:51 xxx kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=189.141.119.221 DST=xxx.xxx.xxx.xx LEN=48 TOS=0x04 PREC=0xC0 TTL=115 ID=4925 DF PROTO=TCP SPT=4515 DPT=4899 WINDOW=64240 RES=0x00 SYN URGP=0
    May 19 09:27:20 xxx kernel: ** OUT_TCP DROP ** IN= OUT=eth0 SRC=xxx.xxx.xxx.xx DST=218.104.68.244 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=34387 DF PROTO=TCP SPT=80 DPT=13039 WINDOW=7504 RES=0x00 ACK URGP=0
    May 19 09:28:42 xxx kernel: ** OUT_TCP DROP ** IN= OUT=eth0 SRC=xxx.xxx.xxx.xx DST=218.104.68.244 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=34389 DF PROTO=TCP SPT=80 DPT=13039 WINDOW=7504 RES=0x00 ACK URGP=0
    May 19 09:28:58 xxx kernel: ** SSH ** IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=122.160.224.58 DST=xxx.xxx.xxx.xx LEN=60 TOS=0x04 PREC=0xC0 TTL=45 ID=27682 DF PROTO=TCP SPT=60654 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
    May 19 09:28:58 xxx kernel: ** SSH ** IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=122.160.224.58 DST=xxx.xxx.xxx.xx LEN=60 TOS=0x04 PREC=0xC0 TTL=45 ID=34864 DF PROTO=TCP SPT=2226 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
    May 19 09:29:01 xxx kernel: ** SSH ** IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=122.160.224.58 DST=xxx.xxx.xxx.xx LEN=60 TOS=0x04 PREC=0xC0 TTL=45 ID=34865 DF PROTO=TCP SPT=2226 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
    =====================================================

    Last week my website was hack by Ottoman Empire, hacker change my index.php to direct to other site.

    When I can change back, and disabled root to access to ssh, change user name and password to lang more 20 character.

    After that I change apf rules and install BFD and blocked some IP in apf.

    Yesterday I found some message I don't know what happen, some one can tell me more.

    Thanks advance

    ***
    My Server used bellow:

    WHM 11.15.0 cPanel 11.18.6-S24255
    CENTOS Enterprise 4.6 x86_64 on standard - WHM X v3.1.0
    ***
     
  2. Kailash1

    Kailash1 Well-Known Member

    Joined:
    Nov 27, 2006
    Messages:
    253
    Likes Received:
    2
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Twitter:
    Looks like the same entry as ip_conntrack file.

    It seems that it is showing the connections to your server.

    Kailash
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. foxdevil

    foxdevil Member

    Joined:
    May 15, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    51
    ...

    =========================================
    ** SSH ** IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=122.160.224.58
    =========================================
    Some IP show in blacklist from any more web site.
    This message possible hacker try to access ssh port?
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice