Someone attempting to hack my server?
So, today for the first time I see this in the logs from Logwatch:
--------------------- iptables firewall Begin ------------------------ Listed by source hosts: Logged 2 packets on interface eth0 From 78.86.200.239 - 1 packet To 192.168.2.99 - 1 packet Service: 3 (icmp/3) (Inbound) - 1 packet From 133.27.241.1 - 1 packet To 192.168.2.99 - 1 packet Service: 3 (icmp/3) (Inbound) - 1 packet Listed by source hosts: Logged 5232 packets on interface eth1 From 0.0.0.0 - 2 packets To 255.255.255.255 - 2 packets Service: bootps (udp/67) (Unknown Input) - 2 packets From 192.168.1.100 - 4982 packets To 192.168.1.10 - 4982 packets Service: domain (udp/53) (Unknown Output) - 4388 packets Service: domain (udp/53) ([ 43.253113] Unknown Output) - 1 packet Service: domain (udp/53) ([ 43.253128] Unknown Output) - 1 packet Service: domain (udp/53) ([ 43.253247] Unknown Output) - 1 packet Service: domain (udp/53) ([ 43.253257] Unknown Output) - 1 packet Service: domain (udp/53) ([ 43.253349] Unknown Output) - 1 packet Service: domain (udp/53) ([ 43.253358] Unknown Output) - 1 packet --------------------- Named Begin ------------------------ Named started: 2 Time(s) Named shutdown: 2 Time(s) Loaded Zones: 0.in-addr.arpa/IN: 2 Time(s) 127.in-addr.arpa/IN: 2 Time(s) 255.in-addr.arpa/IN: 2 Time(s) localhost/IN: 2 Time(s) **Unmatched Entries** automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA: 2 Time(s) automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA: 2 Time(s) automatic empty zone: 2.0.192.IN-ADDR.ARPA: 2 Time(s) automatic empty zone: 254.169.IN-ADDR.ARPA: 2 Time(s) automatic empty zone: 255.255.255.255.IN-ADDR.ARPA: 2 Time(s) automatic empty zone: 8.E.F.IP6.ARPA: 2 Time(s) automatic empty zone: 9.E.F.IP6.ARPA: 2 Time(s) automatic empty zone: A.E.F.IP6.ARPA: 2 Time(s) automatic empty zone: B.E.F.IP6.ARPA: 2 Time(s) automatic empty zone: D.F.IP6.ARPA: 2 Time(s) client 127.0.0.1 RFC 1918 response from Internet for 1.2.168.192.in-addr.arpa: 2484 Time(s) client 127.0.0.1 RFC 1918 response from Internet for 100.1.168.192.in-addr.arpa: 6 Time(s) client 127.0.0.1 RFC 1918 response from Internet for 99.2.168.192.in-addr.arpa: 114 Time(s) client 204.11.51.61 query (cache) './NS/IN' denied: 2 Time(s) client 208.78.169.235 query (cache) './NS/IN' denied: 1 Time(s) client 208.78.169.236 query (cache) './NS/IN' denied: 1 Time(s) ---------------------- Named End ------------------------- I also noticed from my proFTPd log that it appears someone is trying to brute force their way in... Am I being paranoid with the above Named information? could someone explain what's happening to me. Thanks, |
I can't believe no one has seen this type of information in their logs before, anyone?
|
There is nothing to worry about:
Quote:
Quote:
Quote:
|
This thread may shed some light on what is happening. It kind of looks like you're running a DNS that might not be properly configured. Now if you aren't running a DNS, that might indicate a more serious issue.
As for the FTP brute force, that happens to everyone with an FTP server. If you don't need it accessible from the internet, block it with a firewall. If you do need it accessible from the internet, make sure you've got strong passwords on any accounts that are allowed access. |
Thanks for the reply's guys.
I am not running DNS on this box I let my ISP handle the DNS records. So, I got 2 different opinions... is there a concensus that this is an issue not to worry about or should I keep digging? the more I read about FTP the more I realize someone is always going to be trying to hack it, I will head your advice and revise my passwording schemes. Thanks, |
Quote:
Code:
ps -ef|grep named |
I agree with bathory, so far this looks like a DNS problem that may be innocent, but since we really don't have a lot to go on, it doesn't hurt to dig a little deeper. Things to look at:
lsof -Pwn ps -afwwwe netstat -anpe You're looking for things that shouldn't be there. We could also use a better description of the machine in question, particularly the distro you're using, the services it is hosting and how it is connected to the internet. If you're running a web server, what applications are running on it? Finally, is this the only logwatch entry for this or has it been going on for some time? Is there anything else suspicious in the log (particularly before this started). Were any of the FTP log in attempts successful? Have you looked at the log files directly for unusual events? Your comment about passwords is mildly disturbing. Are there any password based access services besides FTP (I'm thinking SSH) that someone may have been able to access? |
OK, so I see it is running..
host@dns1:~$ ps -ef|grep named bind 10299 1 0 Dec08 ? 00:00:00 /usr/sbin/named -u bind host 12737 12715 0 06:45 pts/0 00:00:00 grep named Since I'm allowing my ISP to host my DNS records its not necessary for bind to be running correct? |
Quote:
|
You don't need bind for dns services, but maybe it's needed by your resolver.
Make sure that there is no entry for localhost in /etc/resolv.conf and if it exists, replace it with your ISP's dns IP Regards |
Many thanks for the insight. :D
|
All times are GMT -5. The time now is 12:49 PM. |