1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Server Attack??

Discussion in 'Plesk for Linux - 8.x and Older' started by arctic_ged, Apr 10, 2007.

  1. arctic_ged

    arctic_ged Guest

    0
     
    Hi all,

    My server went down last night,

    I had a look at the logs and this is what I found in var/log/messages


    Apr 9 19:43:17 s15248676 sshd(pam_unix)[16767]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root
    Apr 9 19:43:19 s15248676 sshd(pam_unix)[16774]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root
    Apr 9 19:43:22 s15248676 sshd(pam_unix)[16781]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root
    Apr 9 19:43:25 s15248676 sshd(pam_unix)[16788]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root
    Apr 9 19:43:28 s15248676 sshd(pam_unix)[16795]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root
    Apr 9 19:43:31 s15248676 sshd(pam_unix)[16802]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root
    Apr 9 19:43:34 s15248676 sshd(pam_unix)[16809]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root
    Apr 9 19:43:37 s15248676 sshd(pam_unix)[16816]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root
    Apr 9 19:43:40 s15248676 sshd(pam_unix)[16823]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root
    Apr 9 19:43:43 s15248676 sshd(pam_unix)[16830]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root
    Apr 9 19:43:46 s15248676 sshd(pam_unix)[16837]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root

    there is hundreds of these messages just before the server went down also in etc/httpd/logs/error_log there is hundreds of entries like this

    [Sun Apr 08 21:32:39 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.2-rc1
    [Sun Apr 08 21:32:39 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.2-beta1
    [Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.2
    [Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.2-pl1
    [Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.3-rc1
    [Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.3
    [Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.3-pl1
    [Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.4-rc1
    [Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.4-pl1
    [Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.4-pl2
    [Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.4-pl3
    [Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.4-pl4
    [Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.4
    [Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.7.0-beta1
    [Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.7.0-rc1
    [Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.7.0-pl1
    [Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.7.0-pl2
    [Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.7.0
    [Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.0-beta1
    [Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.0-rc1
    [Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.0-rc2
    [Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.0
    [Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.0.1
    [Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.0.2
    [Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.0.3
    [Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.0.4
    [Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.1-rc1
    [Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.1
    [Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.2
    [Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/admin
    [Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/admin


    Am I right to assume that the messages in the first log suggest that someone has been continuously trying to log into the server using SSH and in the second log that they were trying to find a control panel of the server??

    Could this have caused the server to crash??

    Any help would be really appreciated..
     
  2. eugenevdm

    eugenevdm Silver Pleskian

    30
    68%
    Joined:
    Nov 11, 2003
    Messages:
    611
    Likes Received:
    0
    Well of course there could be a correlation between someone trying to break into your system and the server going down but the link between your log files and the actual server going down is too abstract to reliably asssertain this. You will have to do a fairly detailed analysis of your server in order to ascertain why it went down. The log file doesn't say much about why the server went down.

    Use a tool such as 'top' to see what's going on on the server, and look at the bash history files. Run a program that look for rootkits. Lots of time and research coming up.
     
  3. faris

    faris Guest

    0
     
    What Eugenevdm says is totally correct.

    Let me add one little thing. When you get back up and running, the first thing you might want to do is ditch the plesk firewall and use the apf firewall instead.

    There is no graphical interface for apf but personally I find it easier to config than Plesk's (probably because it has no graphical interface!). It includes two useful features: 1) it can automatically block certain types of attack and 2) if can automatically download a list of IPs that are known to be the source of certain suspicious activity. It is also more rebust than the plesk one.

    Also install mod_security, and invest in a subscription to Scott's ASL repository which includes the grsec modified kernel and much more.

    Start here to learn more about all this:
    http://www.web-hosting-control-pane....php/HOW-TO_setup_a_PLESK_Dedicated_Server/6/

    This was written by a very helpful and active member of the community here.


    All this will help you sleep better at night knowing that when you are attacked you have very good security and have done a great deal to avoid disaster. There's more you can do, but this is an excellent start.

    Faris.
     
Loading...