hack attempt on my server...What do you do about this?
Scot L. Harris
webid at cfl.rr.com
Sat Jul 17 21:22:58 UTC 2004
On Sat, 2004-07-17 at 15:40, Jonathan T. Steadman wrote:
> Sorry this is yet another lame question, but I am new to hosting web
> server ect. just kinda experimenting actually and in my logs i came
> across some garbage (its at the bottom of this email) what do you do
> about this? Just let it be? inform ISP? wait and see if it is more
> continuous? dont know the proper thing to do i guess just making sure
> with you guys.
>
> Jul 17 14:42:24 localhost sshd[6746]: Illegal user test from
> 130.120.81.14
> Jul 17 14:42:26 localhost sshd[6746]: Failed password for illegal user
> test from 130.120.81.14 port 48692 ssh2
> Jul 17 14:42:27 localhost sshd[6748]: Illegal user guest from
> 130.120.81.14
> Jul 17 14:42:30 localhost sshd[6748]: Failed password for illegal user
> guest from 130.120.81.14 port 48753 ssh2
> Jul 17 14:42:31 localhost sshd[6750]: Illegal user admin from
> 130.120.81.14
> Jul 17 14:42:33 localhost sshd[6750]: Failed password for illegal user
> admin from 130.120.81.14 port 48807 ssh2
> Jul 17 14:42:34 localhost sshd[6752]: Illegal user admin from
> 130.120.81.14
> Jul 17 14:42:37 localhost sshd[6752]: Failed password for illegal user
> admin from 130.120.81.14 port 48849 ssh2
> Jul 17 14:42:38 localhost sshd[6754]: Illegal user user from
> 130.120.81.14
> Jul 17 14:42:40 localhost sshd[6754]: Failed password for illegal user
> user from 130.120.81.14 port 48879 ssh2
> Jul 17 14:42:43 localhost sshd[6756]: Failed password for root from
> 130.120.81.14 port 48900 ssh2
> Jul 17 14:42:47 localhost sshd[6758]: Failed password for root from
> 130.120.81.14 port 48913 ssh2
> Jul 17 14:42:50 localhost sshd[6760]: Failed password for root from
> 130.120.81.14 port 48924 ssh2
> Jul 17 14:42:51 localhost sshd[6762]: Illegal user test from
> 130.120.81.14
> Jul 17 14:42:54 localhost sshd[6762]: Failed password for illegal user
> test from 130.120.81.14 port 48931 ssh2
First thing is to block that IP address (or even that entire subnet)
using iptables.
Second make sure root access via ssh has been disabled. (modify the
/etc/ssh/sshd_confing file and comment out PermitRootLogin.)
Third make sure you have good passwords on all accounts.
Forth check your logs for any logins that succeeded near the time this
attack occurred. If there were any try to check the history on each to
see what was done.
Fifth run a tripwire report if you have it installed. If you don't have
it installed install it and set it up. Won't help for this instance but
maybe next time it will. This is one way to try to find out if anything
critical was modified or added.
Sixth turn off any services not really needed and configure iptables to
block everything but what is really needed.
You may also want to setup snort to monitor the traffic going to your
server. I believe it can be configured to alert you when something like
this is occurring.
And if you think the system was compromised you may want to replace it
with another system while you reload everything on it from backups or
from scratch.
--
Scot L. Harris
webid at cfl.rr.com
That's always the way when you discover something new; everyone thinks
you're crazy.
-- Evelyn E. Smith
More information about the users
mailing list