LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page webserver security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-19-2007, 09:23 AM   #1
xviddivxoggmp3
Member
 
Registered: Feb 2004
Location: scanf
Distribution: Redhat Enterprise 4.4 AS
Posts: 236

Rep: Reputation: 30
webserver security

I just looked through some weblogs today and saw the following.
Quote:
userhelper[12611]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'
userhelper[12612]: running '/usr/sbin/up2date --uuid fb032ff6-b2eb-11db-84fd-a546add58b71 --register' with root privileges on
behalf of 'root'
This doesn't look good.
Did someone log on and acquire root privleges?

and what is this?
Quote:
Failed to bind:
0.0.0.0 port 22 (Address already in use) : 2 Time(s)
did someone hack me or am i just paranoid?
please security guru help me.
 
Old 10-19-2007, 10:04 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
that's not a log from a web server, it's just someone locally updating the system with up2date... you? i assume that could originate to a little system tray icon telling you you had system updates to apply, and so you told it to apply them?

the other one is someone trying to start ssh when it's already running, no reason to think there's anything malicious about that... dumb maybe but not malicious.
 
Old 10-19-2007, 06:33 PM   #3
xviddivxoggmp3
Member
 
Registered: Feb 2004
Location: scanf
Distribution: Redhat Enterprise 4.4 AS
Posts: 236

Original Poster
Rep: Reputation: 30
This looks like someone is trying to break in.

Quote:
Failed password for invalid user staff from ::ffff:200.11.75.91 port 55450 ssh2
Invalid user sales from ::ffff:200.11.75.91
Failed password for invalid user sales from ::ffff:200.11.75.91 port 55596 ssh2
Invalid user recruit from ::ffff:200.11.75.91
Failed password for invalid user recruit from ::ffff:200.11.75.91 port 55745 ssh2
Invalid user alias from ::ffff:200.11.75.91
Failed password for invalid user alias from ::ffff:200.11.75.91 port 55889 ssh2
Invalid user office from ::ffff:200.11.75.91
Failed password for invalid user office from ::ffff:200.11.75.91 port 56035 ssh2
Invalid user samba from ::ffff:200.11.75.91
Failed password for invalid user samba from ::ffff:200.11.75.91 port 56175 ssh2
Invalid user tomcat from ::ffff:200.11.75.91
Failed password for invalid user tomcat from ::ffff:200.11.75.91 port 56317 ssh2
Invalid user webadmin from ::ffff:200.11.75.91
Failed password for invalid user webadmin from ::ffff:200.11.75.91 port 56459 ssh2
Invalid user spam from ::ffff:200.11.75.91
Quote:
Authentication Failures:
unknown (prometeo.quilaco.cl): 43 Time(s)
unknown (ebci.ucr.ac.cr): 26 Time(s)
root (prometeo.quilaco.cl): 8 Time(s)

Invalid Users:
Unknown Account: 70 Time(s)
How do I stop this???
Last edited by xviddivxoggmp3; 10-19-2007 at 06:35 PM.
 
Old 10-19-2007, 07:15 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
You could start by reading the "Failed SSH login attempts" sticky at the top of the forum.

Then install something like Fail2Ban.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Overly touchy webserver security jayjwa LQ Suggestions & Feedback 6 03-25-2007 02:32 AM
Security risk for Windows workgroup computers if I add a Linux webserver? rreiss Linux - Security 1 03-17-2006 12:51 PM
Security on a webserver. mikz Slackware 6 01-23-2006 04:15 PM
Linux webserver security GNewbie Linux - Security 3 10-18-2005 12:53 PM
security on webserver? worried! TreeHugger Linux - Security 9 12-31-2003 08:11 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:05 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration