The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What is this in /var/log/messages

Discussion in 'General Discussion' started by foxdevil, May 19, 2008.

  1. foxdevil

    foxdevil Member

    Joined:
    May 15, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    When I open file /etc/log/messages I founded following message, what is this...

    ==========================================================
    May 19 09:26:51 xxx kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=189.141.119.221 DST=xxx.xxx.xxx.xx LEN=48 TOS=0x04 PREC=0xC0 TTL=115 ID=4919 DF PROTO=TCP SPT=4510 DPT=4899 WINDOW=64240 RES=0x00 SYN URGP=0
    May 19 09:26:51 xxx kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=189.141.119.221 DST=xxx.xxx.xxx.xx LEN=48 TOS=0x04 PREC=0xC0 TTL=115 ID=4925 DF PROTO=TCP SPT=4515 DPT=4899 WINDOW=64240 RES=0x00 SYN URGP=0
    May 19 09:27:20 xxx kernel: ** OUT_TCP DROP ** IN= OUT=eth0 SRC=xxx.xxx.xxx.xx DST=218.104.68.244 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=34387 DF PROTO=TCP SPT=80 DPT=13039 WINDOW=7504 RES=0x00 ACK URGP=0
    May 19 09:28:42 xxx kernel: ** OUT_TCP DROP ** IN= OUT=eth0 SRC=xxx.xxx.xxx.xx DST=218.104.68.244 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=34389 DF PROTO=TCP SPT=80 DPT=13039 WINDOW=7504 RES=0x00 ACK URGP=0
    May 19 09:28:58 xxx kernel: ** SSH ** IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=122.160.224.58 DST=xxx.xxx.xxx.xx LEN=60 TOS=0x04 PREC=0xC0 TTL=45 ID=27682 DF PROTO=TCP SPT=60654 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
    May 19 09:28:58 xxx kernel: ** SSH ** IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=122.160.224.58 DST=xxx.xxx.xxx.xx LEN=60 TOS=0x04 PREC=0xC0 TTL=45 ID=34864 DF PROTO=TCP SPT=2226 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
    May 19 09:29:01 xxx kernel: ** SSH ** IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=122.160.224.58 DST=xxx.xxx.xxx.xx LEN=60 TOS=0x04 PREC=0xC0 TTL=45 ID=34865 DF PROTO=TCP SPT=2226 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
    =====================================================

    Last week my website was hack by Ottoman Empire, hacker change my index.php to direct to other site.

    When I can change back, and disabled root to access to ssh, change user name and password to lang more 20 character.

    After that I change apf rules and install BFD and blocked some IP in apf.

    Yesterday I found some message I don't know what happen, some one can tell me more.

    Thanks advance

    ***
    My Server used bellow:

    WHM 11.15.0 cPanel 11.18.6-S24255
    CENTOS Enterprise 4.6 x86_64 on standard - WHM X v3.1.0
    ***
     
  2. Kailash1

    Kailash1 Well-Known Member

    Joined:
    Nov 27, 2006
    Messages:
    252
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Looks like the same entry as ip_conntrack file.

    It seems that it is showing the connections to your server.

    Kailash
     
  3. foxdevil

    foxdevil Member

    Joined:
    May 15, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    ...

    =========================================
    ** SSH ** IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=122.160.224.58
    =========================================
    Some IP show in blacklist from any more web site.
    This message possible hacker try to access ssh port?
     
Loading...

Share This Page