LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-07-2009, 07:55 AM   #1
tiger.woods
Member
 
Registered: Mar 2006
Posts: 122

Rep: Reputation: 15
Someone attempting to hack my server?


So, today for the first time I see this in the logs from Logwatch:


--------------------- iptables firewall Begin ------------------------
Listed by source hosts:
Logged 2 packets on interface eth0
From 78.86.200.239 - 1 packet
To 192.168.2.99 - 1 packet
Service: 3 (icmp/3) (Inbound) - 1 packet
From 133.27.241.1 - 1 packet
To 192.168.2.99 - 1 packet
Service: 3 (icmp/3) (Inbound) - 1 packet

Listed by source hosts:
Logged 5232 packets on interface eth1
From 0.0.0.0 - 2 packets
To 255.255.255.255 - 2 packets
Service: bootps (udp/67) (Unknown Input) - 2 packets
From 192.168.1.100 - 4982 packets
To 192.168.1.10 - 4982 packets
Service: domain (udp/53) (Unknown Output) - 4388 packets
Service: domain (udp/53) ([ 43.253113] Unknown Output) - 1 packet
Service: domain (udp/53) ([ 43.253128] Unknown Output) - 1 packet
Service: domain (udp/53) ([ 43.253247] Unknown Output) - 1 packet
Service: domain (udp/53) ([ 43.253257] Unknown Output) - 1 packet
Service: domain (udp/53) ([ 43.253349] Unknown Output) - 1 packet
Service: domain (udp/53) ([ 43.253358] Unknown Output) - 1 packet



--------------------- Named Begin ------------------------

Named started: 2 Time(s)
Named shutdown: 2 Time(s)

Loaded Zones:
0.in-addr.arpa/IN: 2 Time(s)
127.in-addr.arpa/IN: 2 Time(s)
255.in-addr.arpa/IN: 2 Time(s)
localhost/IN: 2 Time(s)

**Unmatched Entries**
automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA: 2 Time(s)
automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA: 2 Time(s)
automatic empty zone: 2.0.192.IN-ADDR.ARPA: 2 Time(s)
automatic empty zone: 254.169.IN-ADDR.ARPA: 2 Time(s)
automatic empty zone: 255.255.255.255.IN-ADDR.ARPA: 2 Time(s)
automatic empty zone: 8.E.F.IP6.ARPA: 2 Time(s)
automatic empty zone: 9.E.F.IP6.ARPA: 2 Time(s)
automatic empty zone: A.E.F.IP6.ARPA: 2 Time(s)
automatic empty zone: B.E.F.IP6.ARPA: 2 Time(s)
automatic empty zone: D.F.IP6.ARPA: 2 Time(s)
client 127.0.0.1 RFC 1918 response from Internet for 1.2.168.192.in-addr.arpa: 2484 Time(s)
client 127.0.0.1 RFC 1918 response from Internet for 100.1.168.192.in-addr.arpa: 6 Time(s)
client 127.0.0.1 RFC 1918 response from Internet for 99.2.168.192.in-addr.arpa: 114 Time(s)
client 204.11.51.61 query (cache) './NS/IN' denied: 2 Time(s)
client 208.78.169.235 query (cache) './NS/IN' denied: 1 Time(s)
client 208.78.169.236 query (cache) './NS/IN' denied: 1 Time(s)

---------------------- Named End -------------------------


I also noticed from my proFTPd log that it appears someone is trying to brute force their way in...

Am I being paranoid with the above Named information? could someone explain what's happening to me.

Thanks,
 
Old 12-08-2009, 05:52 AM   #2
tiger.woods
Member
 
Registered: Mar 2006
Posts: 122

Original Poster
Rep: Reputation: 15
I can't believe no one has seen this type of information in their logs before, anyone?
 
Old 12-08-2009, 06:13 AM   #3
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,159
Blog Entries: 1

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
There is nothing to worry about:
Quote:
automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA: 2 Time(s)
automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA: 2 Time(s)
automatic empty zone: 2.0.192.IN-ADDR.ARPA: 2 Time(s)
automatic empty zone: 254.169.IN-ADDR.ARPA: 2 Time(s)
automatic empty zone: 255.255.255.255.IN-ADDR.ARPA: 2 Time(s)
automatic empty zone: 8.E.F.IP6.ARPA: 2 Time(s)
automatic empty zone: 9.E.F.IP6.ARPA: 2 Time(s)
automatic empty zone: A.E.F.IP6.ARPA: 2 Time(s)
automatic empty zone: B.E.F.IP6.ARPA: 2 Time(s)
automatic empty zone: D.F.IP6.ARPA: 2 Time(s)
This is logged when named restarts
Quote:
client 127.0.0.1 RFC 1918 response from Internet for 1.2.168.192.in-addr.arpa: 2484 Time(s)
client 127.0.0.1 RFC 1918 response from Internet for 100.1.168.192.in-addr.arpa: 6 Time(s)
client 127.0.0.1 RFC 1918 response from Internet for 99.2.168.192.in-addr.arpa: 114 Time(s)
This happens because you don't have configured a zone for 192.168.2/24 subnet. If you use this subnet for your LAN, then you should setup a zone for it. Else you can define an empty zone to get rid of these messages.
Quote:
client 204.11.51.61 query (cache) './NS/IN' denied: 2 Time(s)
client 208.78.169.235 query (cache) './NS/IN' denied: 1 Time(s)
client 208.78.169.236 query (cache) './NS/IN' denied: 1 Time(s)
This means that those hosts are trying to use your dns for recursive queries and they were denied. as they should.
 
Old 12-08-2009, 06:15 AM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
This thread may shed some light on what is happening. It kind of looks like you're running a DNS that might not be properly configured. Now if you aren't running a DNS, that might indicate a more serious issue.

As for the FTP brute force, that happens to everyone with an FTP server. If you don't need it accessible from the internet, block it with a firewall. If you do need it accessible from the internet, make sure you've got strong passwords on any accounts that are allowed access.
 
Old 12-08-2009, 04:08 PM   #5
tiger.woods
Member
 
Registered: Mar 2006
Posts: 122

Original Poster
Rep: Reputation: 15
Thanks for the reply's guys.

I am not running DNS on this box I let my ISP handle the DNS records.

So, I got 2 different opinions... is there a concensus that this is an issue not to worry about or should I keep digging?

the more I read about FTP the more I realize someone is always going to be trying to hack it, I will head your advice and revise my passwording schemes.

Thanks,
 
Old 12-09-2009, 02:02 AM   #6
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,159
Blog Entries: 1

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
Quote:
I am not running DNS on this box I let my ISP handle the DNS records.
Are you sure? These are all logs from named (dns). Run
Code:
ps -ef|grep named
to verify it.
 
Old 12-09-2009, 06:11 AM   #7
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
I agree with bathory, so far this looks like a DNS problem that may be innocent, but since we really don't have a lot to go on, it doesn't hurt to dig a little deeper. Things to look at:

lsof -Pwn
ps -afwwwe
netstat -anpe

You're looking for things that shouldn't be there. We could also use a better description of the machine in question, particularly the distro you're using, the services it is hosting and how it is connected to the internet. If you're running a web server, what applications are running on it?

Finally, is this the only logwatch entry for this or has it been going on for some time? Is there anything else suspicious in the log (particularly before this started). Were any of the FTP log in attempts successful? Have you looked at the log files directly for unusual events? Your comment about passwords is mildly disturbing. Are there any password based access services besides FTP (I'm thinking SSH) that someone may have been able to access?
 
Old 12-09-2009, 06:21 AM   #8
tiger.woods
Member
 
Registered: Mar 2006
Posts: 122

Original Poster
Rep: Reputation: 15
OK, so I see it is running..


host@dns1:~$ ps -ef|grep named
bind 10299 1 0 Dec08 ? 00:00:00 /usr/sbin/named -u bind
host 12737 12715 0 06:45 pts/0 00:00:00 grep named

Since I'm allowing my ISP to host my DNS records its not necessary for bind to be running correct?
 
Old 12-09-2009, 06:34 AM   #9
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Quote:
Originally Posted by tiger.woods View Post
Since I'm allowing my ISP to host my DNS records its not necessary for bind to be running correct?
You don't need bind if your ISP is handling the DNS.
 
Old 12-09-2009, 08:00 AM   #10
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,159
Blog Entries: 1

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
You don't need bind for dns services, but maybe it's needed by your resolver.
Make sure that there is no entry for localhost in /etc/resolv.conf and if it exists, replace it with your ISP's dns IP

Regards
 
Old 12-09-2009, 08:16 PM   #11
tiger.woods
Member
 
Registered: Mar 2006
Posts: 122

Original Poster
Rep: Reputation: 15
Many thanks for the insight.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
realvnc server installed on fed9 attempting to connect to server from windows desktop nataloi Linux - General 1 04-21-2009 09:31 AM
Can't connect to Internet after attempting home web server with Dyndns istheman5 Slackware 4 08-08-2006 03:22 PM
I really need help. Looks like everybody is trying to hack my apache server stormrider_may Linux - Security 2 02-23-2006 06:32 PM
Is my mail server been hack? cojo Linux - Security 2 12-03-2005 06:04 PM
Tryed to hack your own server lately? Kanon Linux - Security 11 01-18-2005 04:50 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:03 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration