Server Attack??

[arctic_ged]

Hi all,

My server went down last night,

I had a look at the logs and this is what I found in var/log/messages


Apr 9 19:43:17 s15248676 sshd(pam_unix)[16767]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root
Apr 9 19:43:19 s15248676 sshd(pam_unix)[16774]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root
Apr 9 19:43:22 s15248676 sshd(pam_unix)[16781]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root
Apr 9 19:43:25 s15248676 sshd(pam_unix)[16788]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root
Apr 9 19:43:28 s15248676 sshd(pam_unix)[16795]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root
Apr 9 19:43:31 s15248676 sshd(pam_unix)[16802]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root
Apr 9 19:43:34 s15248676 sshd(pam_unix)[16809]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root
Apr 9 19:43:37 s15248676 sshd(pam_unix)[16816]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root
Apr 9 19:43:40 s15248676 sshd(pam_unix)[16823]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root
Apr 9 19:43:43 s15248676 sshd(pam_unix)[16830]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root
Apr 9 19:43:46 s15248676 sshd(pam_unix)[16837]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=v31314.1blu.de user=root

there is hundreds of these messages just before the server went down also in etc/httpd/logs/error_log there is hundreds of entries like this

[Sun Apr 08 21:32:39 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.2-rc1
[Sun Apr 08 21:32:39 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.2-beta1
[Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.2
[Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.2-pl1
[Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.3-rc1
[Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.3
[Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.3-pl1
[Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.4-rc1
[Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.4-pl1
[Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.4-pl2
[Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.4-pl3
[Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.4-pl4
[Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.6.4
[Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.7.0-beta1
[Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.7.0-rc1
[Sun Apr 08 21:32:40 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.7.0-pl1
[Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.7.0-pl2
[Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.7.0
[Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.0-beta1
[Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.0-rc1
[Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.0-rc2
[Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.0
[Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.0.1
[Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.0.2
[Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.0.3
[Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.0.4
[Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.1-rc1
[Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.1
[Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin-2.8.2
[Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/admin
[Sun Apr 08 21:32:41 2007] [error] [client 91.121.10.188] File does not exist: /var/www/vhosts/default/htdocs/admin

Am I right to assume that the messages in the first log suggest that someone has been continuously trying to log into the server using SSH and in the second log that they were trying to find a control panel of the server??

Could this have caused the server to crash??

Any help would be really appreciated..

 

[eugenevdm]

Well of course there could be a correlation between someone trying to break into your system and the server going down but the link between your log files and the actual server going down is too abstract to reliably asssertain this. You will have to do a fairly detailed analysis of your server in order to ascertain why it went down. The log file doesn't say much about why the server went down.

Use a tool such as 'top' to see what's going on on the server, and look at the bash history files. Run a program that look for rootkits. Lots of time and research coming up.

 

[faris]

What Eugenevdm says is totally correct.

Let me add one little thing. When you get back up and running, the first thing you might want to do is ditch the plesk firewall and use the apf firewall instead.

There is no graphical interface for apf but personally I find it easier to config than Plesk's (probably because it has no graphical interface!). It includes two useful features: 1) it can automatically block certain types of attack and 2) if can automatically download a list of IPs that are known to be the source of certain suspicious activity. It is also more rebust than the plesk one.

Also install mod_security, and invest in a subscription to Scott's ASL repository which includes the grsec modified kernel and much more.

Start here to learn more about all this:
http://www.web-hosting-control-pane....php/HOW-TO_setup_a_PLESK_Dedicated_Server/6/

This was written by a very helpful and active member of the community here.


All this will help you sleep better at night knowing that when you are attacked you have very good security and have done a great deal to avoid disaster. There's more you can do, but this is an excellent start.

Faris.