LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-10-2006, 06:51 AM   #1
devinnull
Member
 
Registered: Dec 2005
Location: UT-USA
Distribution: RHEL 3/4 Servers - FC 5 x64 on the desktop - Edubuntu for the kiddies
Posts: 53

Rep: Reputation: 15
Apache died-Did I just get own'd? Help please


I just got a new server running RHEL4. I have it all patched up via up2date as of twodays ago and I just got my first site moved over and I am literaly working on the site when it seems to die and no longger works.

After looking around a bit I notice that apache is not serving up the default configuration page any longer even if I go to IP. I can still connect via SSH and webmin but I can not get httpd to start.

When I looked in /var/mail I found a bunch (thousands?) of enties like these below and the look like some kind of bruteforce attack?

************Small Sample**********
Quote:
input_userauth_request: invalid user mortimer
Failed password for invalid user mortimer from ::ffff:217.117.21.148 port 48787 ssh2
Failed password for invalid user mortimer from ::ffff:217.117.21.148 port 48787 ssh2
Invalid user mortimer from ::ffff:217.117.21.148
input_userauth_request: invalid user mortimer
Failed password for invalid user mortimer from ::ffff:217.117.21.148 port 48942 ssh2
Failed password for invalid user mortimer from ::ffff:217.117.21.148 port 48942 ssh2
Invalid user lloyd from ::ffff:217.117.21.148
input_userauth_request: invalid user lloyd
Failed password for invalid user lloyd from ::ffff:217.117.21.148 port 49091 ssh2
Failed password for invalid user lloyd from ::ffff:217.117.21.148 port 49091 ssh2
Invalid user lloyd from ::ffff:217.117.21.148
input_userauth_request: invalid user lloyd
Failed password for invalid user lloyd from ::ffff:217.117.21.148 port 49241 ssh2
Failed password for invalid user lloyd from ::ffff:217.117.21.148 port 49241 ssh2
Invalid user lloyd from ::ffff:217.117.21.148
input_userauth_request: invalid user lloyd
Failed password for invalid user lloyd from ::ffff:217.117.21.148 port 49398 ssh2
Failed password for invalid user lloyd from ::ffff:217.117.21.148 port 49398 ssh2
Invalid user guinness from ::ffff:217.117.21.148
input_userauth_request: invalid user guinness
Failed password for invalid user guinness from ::ffff:217.117.21.148 port 49550 ssh2
Failed password for invalid user guinness from ::ffff:217.117.21.148 port 49550 ssh2
Invalid user guinness from ::ffff:217.117.21.148
input_userauth_request: invalid user guinness
Failed password for invalid user guinness from ::ffff:217.117.21.148 port 49726 ssh2
Failed password for invalid user guinness from ::ffff:217.117.21.148 port 49726 ssh2
Invalid user guinness from ::ffff:217.117.21.148


I have it setup to run some small websites but I am pretty new with linux and just reading mail was pretty good for me. I"m not even sure where to start.

Any help would be wonderful!!!

Last edited by devinnull; 09-10-2006 at 06:58 AM.
 
Old 09-10-2006, 08:07 AM   #2
Samoth
Member
 
Registered: Apr 2005
Distribution: Exherbo
Posts: 474
Blog Entries: 1

Rep: Reputation: 32
It does look like a bruteforce attack. I would look for any signs of them getting in, although they probably deleted that out of the log file if they did. You could set up a key-type ssh server where you have to have a special key in order to even try and get in. That would stop a lot of bruteforce hackers.
 
Old 09-11-2006, 05:11 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
@Samoth: I would look for any signs of them getting in
And how would he do that? Provide some pointers please.
 
Old 09-11-2006, 07:46 AM   #4
Samoth
Member
 
Registered: Apr 2005
Distribution: Exherbo
Posts: 474
Blog Entries: 1

Rep: Reputation: 32
Well, Look at /var/log/auth.log. This is how my /var/log/auth.log looks after multiple unsuccesful ssh logins:

Code:
Sep 11 07:40:28 localhost sshd[777]: Accepted password for root from 192.168.1.80 port 59000 ssh2
Sep 11 07:40:28 localhost sshd[781]: (pam_unix) session opened for user root by root(uid=0)
Sep 11 07:41:41 localhost sshd[803]: Accepted password for root from 192.168.1.80 port 59001 ssh2
Sep 11 07:41:41 localhost sshd[807]: (pam_unix) session opened for user root by root(uid=0)
Sep 11 07:42:11 localhost sshd[828]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rock.mpa.com  user=root
Sep 11 07:42:13 localhost sshd[828]: Failed password for root from 192.168.1.80 port 59002 ssh2
Sep 11 07:42:19 localhost last message repeated 2 times
Sep 11 07:42:19 localhost sshd[828]: (pam_unix) 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=rock.mpa.com  user=root
Sep 11 07:42:22 localhost sshd[832]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rock.mpa.com  user=root
Sep 11 07:42:24 localhost sshd[832]: Failed password for root from 192.168.1.80 port 59003 ssh2
Sep 11 07:42:30 localhost last message repeated 2 times
Sep 11 07:42:30 localhost sshd[832]: (pam_unix) 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=rock.mpa.com  user=root
Sep 11 07:42:35 localhost sshd[836]: Accepted password for root from 192.168.1.80 port 59004 ssh2
Sep 11 07:42:35 localhost sshd[840]: (pam_unix) session opened for user root by root(uid=0)
However, if you dont find anything at all, then that is a good sign that they got in and deleted that part of the log.

Last edited by Samoth; 09-11-2006 at 07:47 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Ubuntu Just Died?!? Can you help? Ingla Linux - Software 4 03-14-2006 12:58 AM
apache died how do we find out why? dtra Linux - Software 1 06-06-2005 10:48 AM
Mouse died KenCo Linux - Laptop and Netbook 5 10-02-2003 07:22 AM
apache died HELP (errno:13) rob_roman23 Linux - General 4 09-03-2003 07:42 PM
Samba Died!!! Sathe Linux - Networking 6 01-18-2002 10:21 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration