Brute force attacks originating from my server

3 posts / 0 new
Topic locked
Last post
#1 Mon, 08/31/2009 - 20:41
iambacon

Brute force attacks originating from my server

I got a dedicated server a few days ago. This morning I set up virtualmin and moved my personal sites on to the server. Then I got this Abuse Warning from the data center:

Dear Customer,

We have received reports of brute force attacks originating from this server. This indicates possible server compromise, and is your responsibility to investigate and resolve. However, should you require help, please contact our professional service. Be advised that should we receive further reports we may be forced to step in to prevent further abuse of our networks. For your convenience, please see attached report.

Regards, Nick Abuse Department XXX XYZ

Time: Mon Aug 31 05:02:26 2009 -0500 IP: 174.120.xxx.xxx Failures: 5 (sshd) Interval: 300 seconds Blocked: Yes

Log entries:

Aug 31 05:02:22 whm sshd[9165]: Invalid user t1na from 174.120.xxx.xxx Aug 31 05:02:24 whm sshd[9165]: Failed password for invalid user t1na from 174.120.xxx.xx port 59515 ssh2 Aug 31 05:02:24 whm sshd[9167]: Invalid user t1na from 174.120.xxx.xxx Aug 31 05:02:26 whm sshd[9167]: Failed password for invalid user t1na from 174.120.xxx.xxx port 59766 ssh2 Aug 31 05:02:26 whm sshd[9169]: Invalid user logic from 174.120.xxx.xxx

Has anyone had this problem before? =/

Mon, 08/31/2009 - 21:21
andreychek

Howdy,

Well, that's a common problem to have if an attacker finds a way to take advantage in a web application vulnerability, or perhaps guess a system password.

There's a number of "tools" attackers can use to generate new attacks from your server.

What I'd be on the lookout for are three things:

  1. Unusual processes running on your system -- and particularly those taking up a lot of resources.

  2. Web applications that aren't current -- numerous web apps have had vulnerabilities that could allow someone to generate attacks. Verify that all the web apps running on your system are at the very latest version.

  3. Make sure your system is fully up to date, and not running any daemons/services you don't need.

You might consider running tools such as rkhunter and chkrootkit. They aren't a substitute for doing a thorough inspection of all the above, but they could assist in finding some things.

-Eric

Mon, 08/31/2009 - 22:45
iambacon

Thx.. this was weird. Deleted wordpress and everything went back to normal.

Topic locked