Someone attempting to hack my server?
 

So, today for the first time I see this in the logs from Logwatch:


--------------------- iptables firewall Begin ------------------------
Listed by source hosts:
Logged 2 packets on interface eth0
From 78.86.200.239 - 1 packet
To 192.168.2.99 - 1 packet
Service: 3 (icmp/3) (Inbound) - 1 packet
From 133.27.241.1 - 1 packet
To 192.168.2.99 - 1 packet
Service: 3 (icmp/3) (Inbound) - 1 packet

Listed by source hosts:
Logged 5232 packets on interface eth1
From 0.0.0.0 - 2 packets
To 255.255.255.255 - 2 packets
Service: bootps (udp/67) (Unknown Input) - 2 packets
From 192.168.1.100 - 4982 packets
To 192.168.1.10 - 4982 packets
Service: domain (udp/53) (Unknown Output) - 4388 packets
Service: domain (udp/53) ([ 43.253113] Unknown Output) - 1 packet
Service: domain (udp/53) ([ 43.253128] Unknown Output) - 1 packet
Service: domain (udp/53) ([ 43.253247] Unknown Output) - 1 packet
Service: domain (udp/53) ([ 43.253257] Unknown Output) - 1 packet
Service: domain (udp/53) ([ 43.253349] Unknown Output) - 1 packet
Service: domain (udp/53) ([ 43.253358] Unknown Output) - 1 packet



--------------------- Named Begin ------------------------

Named started: 2 Time(s)
Named shutdown: 2 Time(s)

Loaded Zones:
0.in-addr.arpa/IN: 2 Time(s)
127.in-addr.arpa/IN: 2 Time(s)
255.in-addr.arpa/IN: 2 Time(s)
localhost/IN: 2 Time(s)

**Unmatched Entries**
automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA: 2 Time(s)
automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA: 2 Time(s)
automatic empty zone: 2.0.192.IN-ADDR.ARPA: 2 Time(s)
automatic empty zone: 254.169.IN-ADDR.ARPA: 2 Time(s)
automatic empty zone: 255.255.255.255.IN-ADDR.ARPA: 2 Time(s)
automatic empty zone: 8.E.F.IP6.ARPA: 2 Time(s)
automatic empty zone: 9.E.F.IP6.ARPA: 2 Time(s)
automatic empty zone: A.E.F.IP6.ARPA: 2 Time(s)
automatic empty zone: B.E.F.IP6.ARPA: 2 Time(s)
automatic empty zone: D.F.IP6.ARPA: 2 Time(s)
client 127.0.0.1 RFC 1918 response from Internet for 1.2.168.192.in-addr.arpa: 2484 Time(s)
client 127.0.0.1 RFC 1918 response from Internet for 100.1.168.192.in-addr.arpa: 6 Time(s)
client 127.0.0.1 RFC 1918 response from Internet for 99.2.168.192.in-addr.arpa: 114 Time(s)
client 204.11.51.61 query (cache) './NS/IN' denied: 2 Time(s)
client 208.78.169.235 query (cache) './NS/IN' denied: 1 Time(s)
client 208.78.169.236 query (cache) './NS/IN' denied: 1 Time(s)

---------------------- Named End -------------------------


I also noticed from my proFTPd log that it appears someone is trying to brute force their way in...

Am I being paranoid with the above Named information? could someone explain what's happening to me.

Thanks,

I can't believe no one has seen this type of information in their logs before, anyone?

There is nothing to worry about:
This is logged when named restarts
This happens because you don't have configured a zone for 192.168.2/24 subnet. If you use this subnet for your LAN, then you should setup a zone for it. Else you can define an empty zone to get rid of these messages.
This means that those hosts are trying to use your dns for recursive queries and they were denied. as they should.

This thread may shed some light on what is happening. It kind of looks like you're running a DNS that might not be properly configured. Now if you aren't running a DNS, that might indicate a more serious issue.

As for the FTP brute force, that happens to everyone with an FTP server. If you don't need it accessible from the internet, block it with a firewall. If you do need it accessible from the internet, make sure you've got strong passwords on any accounts that are allowed access.

Thanks for the reply's guys.

I am not running DNS on this box I let my ISP handle the DNS records.

So, I got 2 different opinions... is there a concensus that this is an issue not to worry about or should I keep digging?

the more I read about FTP the more I realize someone is always going to be trying to hack it, I will head your advice and revise my passwording schemes.

Thanks,

Are you sure? These are all logs from named (dns). Run
to verify it.

I agree with bathory, so far this looks like a DNS problem that may be innocent, but since we really don't have a lot to go on, it doesn't hurt to dig a little deeper. Things to look at:

lsof -Pwn
ps -afwwwe
netstat -anpe

You're looking for things that shouldn't be there. We could also use a better description of the machine in question, particularly the distro you're using, the services it is hosting and how it is connected to the internet. If you're running a web server, what applications are running on it?

Finally, is this the only logwatch entry for this or has it been going on for some time? Is there anything else suspicious in the log (particularly before this started). Were any of the FTP log in attempts successful? Have you looked at the log files directly for unusual events? Your comment about passwords is mildly disturbing. Are there any password based access services besides FTP (I'm thinking SSH) that someone may have been able to access?

OK, so I see it is running..


host@dns1:~$ ps -ef|grep named
bind 10299 1 0 Dec08 ? 00:00:00 /usr/sbin/named -u bind
host 12737 12715 0 06:45 pts/0 00:00:00 grep named

Since I'm allowing my ISP to host my DNS records its not necessary for bind to be running correct?

You don't need bind if your ISP is handling the DNS.

You don't need bind for dns services, but maybe it's needed by your resolver.
Make sure that there is no entry for localhost in /etc/resolv.conf and if it exists, replace it with your ISP's dns IP

Regards

Many thanks for the insight. :D