Apache died-Did I just get own'd? Help please

devinnull · 09-10-2006, 05:51 AM

I just got a new server running RHEL4. I have it all patched up via up2date as of twodays ago and I just got my first site moved over and I am literaly working on the site when it seems to die and no longger works.

After looking around a bit I notice that apache is not serving up the default configuration page any longer even if I go to IP. I can still connect via SSH and webmin but I can not get httpd to start.

When I looked in /var/mail I found a bunch (thousands?) of enties like these below and the look like some kind of bruteforce attack?

************Small Sample**********

Quote:

input_userauth_request: invalid user mortimer
Failed password for invalid user mortimer from ::ffff:217.117.21.148 port 48787 ssh2
Failed password for invalid user mortimer from ::ffff:217.117.21.148 port 48787 ssh2
Invalid user mortimer from ::ffff:217.117.21.148
input_userauth_request: invalid user mortimer
Failed password for invalid user mortimer from ::ffff:217.117.21.148 port 48942 ssh2
Failed password for invalid user mortimer from ::ffff:217.117.21.148 port 48942 ssh2
Invalid user lloyd from ::ffff:217.117.21.148
input_userauth_request: invalid user lloyd
Failed password for invalid user lloyd from ::ffff:217.117.21.148 port 49091 ssh2
Failed password for invalid user lloyd from ::ffff:217.117.21.148 port 49091 ssh2
Invalid user lloyd from ::ffff:217.117.21.148
input_userauth_request: invalid user lloyd
Failed password for invalid user lloyd from ::ffff:217.117.21.148 port 49241 ssh2
Failed password for invalid user lloyd from ::ffff:217.117.21.148 port 49241 ssh2
Invalid user lloyd from ::ffff:217.117.21.148
input_userauth_request: invalid user lloyd
Failed password for invalid user lloyd from ::ffff:217.117.21.148 port 49398 ssh2
Failed password for invalid user lloyd from ::ffff:217.117.21.148 port 49398 ssh2
Invalid user guinness from ::ffff:217.117.21.148
input_userauth_request: invalid user guinness
Failed password for invalid user guinness from ::ffff:217.117.21.148 port 49550 ssh2
Failed password for invalid user guinness from ::ffff:217.117.21.148 port 49550 ssh2
Invalid user guinness from ::ffff:217.117.21.148
input_userauth_request: invalid user guinness
Failed password for invalid user guinness from ::ffff:217.117.21.148 port 49726 ssh2
Failed password for invalid user guinness from ::ffff:217.117.21.148 port 49726 ssh2
Invalid user guinness from ::ffff:217.117.21.148

I have it setup to run some small websites but I am pretty new with linux and just reading mail was pretty good for me. I"m not even sure where to start.

Any help would be wonderful!!!

Samoth · 09-10-2006, 07:07 AM

It does look like a bruteforce attack. I would look for any signs of them getting in, although they probably deleted that out of the log file if they did. You could set up a key-type ssh server where you have to have a special key in order to even try and get in. That would stop a lot of bruteforce hackers.

unSpawn · 09-11-2006, 04:11 AM

@Samoth: I would look for any signs of them getting in
And how would he do that? Provide some pointers please.

Samoth · 09-11-2006, 06:46 AM

Well, Look at /var/log/auth.log. This is how my /var/log/auth.log looks after multiple unsuccesful ssh logins:

Code:

Sep 11 07:40:28 localhost sshd[777]: Accepted password for root from 192.168.1.80 port 59000 ssh2
Sep 11 07:40:28 localhost sshd[781]: (pam_unix) session opened for user root by root(uid=0)
Sep 11 07:41:41 localhost sshd[803]: Accepted password for root from 192.168.1.80 port 59001 ssh2
Sep 11 07:41:41 localhost sshd[807]: (pam_unix) session opened for user root by root(uid=0)
Sep 11 07:42:11 localhost sshd[828]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rock.mpa.com  user=root
Sep 11 07:42:13 localhost sshd[828]: Failed password for root from 192.168.1.80 port 59002 ssh2
Sep 11 07:42:19 localhost last message repeated 2 times
Sep 11 07:42:19 localhost sshd[828]: (pam_unix) 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=rock.mpa.com  user=root
Sep 11 07:42:22 localhost sshd[832]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rock.mpa.com  user=root
Sep 11 07:42:24 localhost sshd[832]: Failed password for root from 192.168.1.80 port 59003 ssh2
Sep 11 07:42:30 localhost last message repeated 2 times
Sep 11 07:42:30 localhost sshd[832]: (pam_unix) 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=rock.mpa.com  user=root
Sep 11 07:42:35 localhost sshd[836]: Accepted password for root from 192.168.1.80 port 59004 ssh2
Sep 11 07:42:35 localhost sshd[840]: (pam_unix) session opened for user root by root(uid=0)

However, if you dont find anything at all, then that is a good sign that they got in and deleted that part of the log.