LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > SUSE / openSUSE
User Name
Password
SUSE / openSUSE This Forum is for the discussion of Suse Linux.

Notices


Reply
  Search this Thread
Old 12-30-2018, 02:48 AM   #1
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Rep: Reputation: 10
Angry Whats happened in my system?


Hello.
I installed the last version of OpenSUSE and installed Elasticsearch and Kibana on it and nothing else. This Linux server is not ready yet and we never work with it but OpenSUSE uploaded many files and...Something like S-P-Y or...
Some data of captured file are:
Code:
17:02:00.298515 IP (tos 0x0, ttl 64, id 46168, offset 0, flags [DF], proto TCP (6), length 64)
    elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0xbd0a), seq 300, ack 337, win 229, options [nop,nop,TS val 3546870 ecr 14067419,nop,nop,sack 1 {336:
337}], length 0
17:02:04.934564 ARP, Ethernet (len 6), IPv4 (len 4), Reply elastic.suse is-at 00:0c:29:85:5b:a3 (oui Unknown), length 28
17:02:10.578500 IP (tos 0x0, ttl 64, id 46169, offset 0, flags [DF], proto TCP (6), length 64)
    elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0xb300), seq 300, ack 337, win 229, options [nop,nop,TS val 3549440 ecr 14067419,nop,nop,sack 1 {336:
337}], length 0
17:02:20.858681 IP (tos 0x0, ttl 64, id 46170, offset 0, flags [DF], proto TCP (6), length 64)
    elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0xa8f6), seq 300, ack 337, win 229, options [nop,nop,TS val 3552010 ecr 14067419,nop,nop,sack 1 {336:
337}], length 0
17:02:23.710156 IP (tos 0x0, ttl 64, id 46171, offset 0, flags [DF], proto TCP (6), length 52)
    elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4529 (incorrect -> 0x431a), seq 300, ack 365, win 229, options [nop,nop,TS val 3552723 ecr 14067960], length 0
17:02:33.986522 IP (tos 0x0, ttl 64, id 46172, offset 0, flags [DF], proto TCP (6), length 64)
    elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0x99b3), seq 300, ack 365, win 229, options [nop,nop,TS val 3555292 ecr 14067960,nop,nop,sack 1 {364:
365}], length 0
17:02:44.267499 IP (tos 0x0, ttl 64, id 46173, offset 0, flags [DF], proto TCP (6), length 64)
    elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0x8fa8), seq 300, ack 365, win 229, options [nop,nop,TS val 3557863 ecr 14067960,nop,nop,sack 1 {364:
365}], length 0
17:02:54.437289 IP (tos 0x0, ttl 64, id 46174, offset 0, flags [DF], proto TCP (6), length 64)
    elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0x85ba), seq 300, ack 365, win 229, options [nop,nop,TS val 3560405 ecr 14067960,nop,nop,sack 1 {364:
365}], length 0
17:02:58.079426 ARP, Ethernet (len 6), IPv4 (len 4), Reply elastic.suse is-at 00:0c:29:85:5b:a3 (oui Unknown), length 28
17:02:58.884638 IP (tos 0x0, ttl 64, id 46175, offset 0, flags [DF], proto TCP (6), length 52)
    elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4529 (incorrect -> 0x1f45), seq 300, ack 393, win 229, options [nop,nop,TS val 3561517 ecr 14068311], length 0
17:03:09.094450 IP (tos 0x0, ttl 64, id 46176, offset 0, flags [DF], proto TCP (6), length 64)
    elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0x75b7), seq 300, ack 393, win 229, options [nop,nop,TS val 3564069 ecr 14068311,nop,nop,sack 1 {392:
393}], length 0
17:03:19.375119 IP (tos 0x0, ttl 64, id 46177, offset 0, flags [DF], proto TCP (6), length 64)
    elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0x6bad), seq 300, ack 393, win 229, options [nop,nop,TS val 3566639 ecr 14068311,nop,nop,sack 1 {392:
393}], length 0
17:03:27.573571 IP (tos 0x0, ttl 64, id 24861, offset 0, flags [DF], proto UDP (17), length 61)
    elastic.suse.55662 > google-public-dns-a.google.com.domain: [bad udp cksum 0x209f -> 0x0ed5!] 10109+ A? www.s9xk32c.com. (33)
17:03:27.669410 IP (tos 0x0, ttl 64, id 1635, offset 0, flags [DF], proto TCP (6), length 60)
    elastic.suse.40044 > 91.195.240.82.http: Flags [S], cksum 0x5c99 (incorrect -> 0xd61f), seq 536834602, win 29200, options [mss 1460,sackOK,TS val 3568713 ecr 0,nop,wscale 7], length 0
17:03:27.758488 IP (tos 0x0, ttl 64, id 1636, offset 0, flags [DF], proto TCP (6), length 52)
    elastic.suse.40044 > 91.195.240.82.http: Flags [.], cksum 0x5c91 (incorrect -> 0xa58e), seq 536834603, ack 21361276, win 229, options [nop,nop,TS val 3568735 ecr 949003280], length 0
17:03:27.758610 IP (tos 0x0, ttl 64, id 1637, offset 0, flags [DF], proto TCP (6), length 270)
    elastic.suse.40044 > 91.195.240.82.http: Flags [P.], cksum 0x5d6b (incorrect -> 0xffba), seq 0:218, ack 1, win 229, options [nop,nop,TS val 3568735 ecr 949003280], length 218: HTTP, length: 2
18
        GET /config.rar HTTP/1.1
        Accept: */*
        Accept-Language: zh-cn
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
        Host: www.s9xk32c.com
        Connection: Keep-Alive

17:03:27.852276 IP (tos 0x0, ttl 64, id 1638, offset 0, flags [DF], proto TCP (6), length 52)
    elastic.suse.40044 > 91.195.240.82.http: Flags [.], cksum 0x5c91 (incorrect -> 0xa168), seq 218, ack 716, win 240, options [nop,nop,TS val 3568759 ecr 949003374], length 0
17:03:29.656511 IP (tos 0x0, ttl 64, id 46178, offset 0, flags [DF], proto TCP (6), length 64)
    elastic.suse.49642 > 157.52.151.121.opsession-prxy: Flags [.], cksum 0x4535 (incorrect -> 0x61a2), seq 300, ack 393, win 229, options [nop,nop,TS val 3569210 ecr 14068311,nop,nop,sack 1 {392:
393}], length 0
As you see, its like virus or...but why?

Other information are:
Code:
# tcpdump -r capture.cap -vvv | grep "Host:"
reading from file capture.cap, link-type EN10MB (Ethernet)
        Host: www.s9xk32c.com
        Host: www.s9xk32c.com
        Host: www.s9xk32c.com
        Host: www.s9xk32c.com
        Host: www.s9xk32c.com
        Host: www.s9xk32c.com
        Host: www.s9xk32c.com
Code:
# tcpdump -r capture.cap -vvv | grep "GET"
reading from file capture.cap, link-type EN10MB (Ethernet)
        GET /config.rar HTTP/1.1
        GET /config.rar HTTP/1.1
        GET /config.rar HTTP/1.1
        GET /config.rar HTTP/1.1
        GET /config.rar HTTP/1.1
        GET /config.rar HTTP/1.1
        GET /config.rar HTTP/1.1
Code:
# systemctl status SuSEfirewall2
SuSEfirewall2.service - SuSEfirewall2 phase 2
   Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled)
   Active: active (exited) since Sat 2018-12-29 13:03:44 +0330; 22h ago
 Main PID: 2070 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/SuSEfirewall2.service

Dec 29 13:03:31 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 29 13:03:31 elastic SuSEfirewall2[2070]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 29 13:03:44 elastic SuSEfirewall2[2070]: Firewall rules successfully set
Dec 29 13:03:44 elastic systemd[1]: Started SuSEfirewall2 phase 2.
Code:
# journalctl | grep SuSE*
Dec 11 10:25:33 linux-a725 SuSEfirewall2[1257]: Firewall rules set to CLOSE.
Dec 11 10:25:48 linux-a725 SuSEfirewall2[1726]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 11 10:25:48 linux-a725 SuSEfirewall2[1732]: using default zone 'ext' for interface eth0
Dec 11 10:25:49 linux-a725 SuSEfirewall2[1849]: Firewall rules successfully set
Dec 11 10:28:11 linux-a725 SuSEfirewall2[2293]: Not unloading firewall rules at system shutdown
Dec 15 10:13:36 linux-a725 SuSEfirewall2[1312]: Firewall rules set to CLOSE.
Dec 15 10:13:51 linux-a725 SuSEfirewall2[1770]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 15 10:13:51 linux-a725 SuSEfirewall2[1776]: using default zone 'ext' for interface eth0
Dec 15 10:13:51 linux-a725 SuSEfirewall2[1888]: Firewall rules successfully set
Dec 15 11:30:35 linux-a725 SuSEfirewall2[9698]: Not unloading firewall rules at system shutdown
Dec 15 11:30:53 linux-a725 SuSEfirewall2[1299]: Firewall rules set to CLOSE.
Dec 15 11:31:04 linux-a725 SuSEfirewall2[1808]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 15 11:31:04 linux-a725 SuSEfirewall2[1820]: using default zone 'ext' for interface eth0
Dec 15 11:31:05 linux-a725 SuSEfirewall2[1938]: Firewall rules successfully set
Dec 15 11:49:21 linux-a725 SuSEfirewall2[2933]: Firewall rules unloaded.
Dec 15 11:49:21 linux-a725 SuSEfirewall2[2955]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 15 11:49:21 linux-a725 SuSEfirewall2[2961]: using default zone 'ext' for interface eth0
Dec 15 11:49:22 linux-a725 SuSEfirewall2[3029]: Firewall rules successfully set
Dec 15 12:38:15 linux-a725 systemd[1]: Stopping SuSEfirewall2 phase 2...
Dec 15 12:38:15 linux-a725 SuSEfirewall2[21675]: Firewall rules unloaded.
Dec 15 12:38:15 linux-a725 SuSEfirewall2[21684]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 15 12:38:15 linux-a725 SuSEfirewall2[21690]: using default zone 'ext' for interface eth0
Dec 15 12:38:16 linux-a725 SuSEfirewall2[22042]: Firewall rules successfully set
Dec 15 12:47:25 linux-a725 systemd[1]: Stopping SuSEfirewall2 phase 2...
Dec 15 12:47:25 linux-a725 systemd[1]: Stopped SuSEfirewall2 phase 2.
Dec 15 12:47:25 linux-a725 SuSEfirewall2[9728]: Not unloading firewall rules at system shutdown
Dec 15 12:47:26 linux-a725 systemd[1]: Stopping SuSEfirewall2 phase 1...
Dec 15 12:47:26 linux-a725 systemd[1]: Stopped SuSEfirewall2 phase 1.
Dec 15 12:47:39 linux-a725 SuSEfirewall2[1037]: Firewall rules set to CLOSE.
Dec 15 12:47:39 linux-a725 systemd[1]: Started SuSEfirewall2 phase 1.
Dec 15 12:47:41 linux-a725 systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 15 12:47:41 linux-a725 SuSEfirewall2[1500]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 15 12:47:41 linux-a725 SuSEfirewall2[1508]: using default zone 'ext' for interface eth0
Dec 15 12:47:42 linux-a725 SuSEfirewall2[1981]: Firewall rules successfully set
Dec 15 12:47:42 linux-a725 systemd[1]: Started SuSEfirewall2 phase 2.
Dec 15 14:20:12 linux-a725 systemd[1]: Stopping SuSEfirewall2 phase 2...
Dec 15 14:20:12 linux-a725 SuSEfirewall2[3031]: Not unloading firewall rules at system shutdown
Dec 15 14:20:12 linux-a725 systemd[1]: Stopped SuSEfirewall2 phase 2.
Dec 15 14:20:13 linux-a725 systemd[1]: Stopping SuSEfirewall2 phase 1...
Dec 15 14:20:13 linux-a725 systemd[1]: Stopped SuSEfirewall2 phase 1.
Dec 15 14:20:27 linux-a725 SuSEfirewall2[1058]: Firewall rules set to CLOSE.
Dec 15 14:20:27 linux-a725 systemd[1]: Started SuSEfirewall2 phase 1.
Dec 15 14:20:29 linux-a725 systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 15 14:20:29 linux-a725 SuSEfirewall2[1533]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 15 14:20:29 linux-a725 SuSEfirewall2[1539]: using default zone 'ext' for interface eth0
Dec 15 14:20:29 linux-a725 SuSEfirewall2[1992]: Firewall rules successfully set
Dec 15 14:20:29 linux-a725 systemd[1]: Started SuSEfirewall2 phase 2.
Dec 15 14:34:21 linux-a725 systemd[1]: Stopping SuSEfirewall2 phase 2...
Dec 15 14:34:21 linux-a725 SuSEfirewall2[8028]: Not unloading firewall rules at system shutdown
Dec 15 14:34:21 linux-a725 systemd[1]: Stopped SuSEfirewall2 phase 2.
Dec 15 14:34:22 linux-a725 systemd[1]: Stopping SuSEfirewall2 phase 1...
Dec 15 14:34:22 linux-a725 systemd[1]: Stopped SuSEfirewall2 phase 1.
Dec 15 14:34:35 elastic SuSEfirewall2[1149]: Firewall rules set to CLOSE.
Dec 15 14:34:35 elastic systemd[1]: Started SuSEfirewall2 phase 1.
Dec 15 14:34:37 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 15 14:34:37 elastic SuSEfirewall2[1611]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 15 14:34:37 elastic SuSEfirewall2[1617]: using default zone 'ext' for interface eth0
Dec 15 14:34:38 elastic SuSEfirewall2[2073]: Firewall rules successfully set
Dec 15 14:34:38 elastic systemd[1]: Started SuSEfirewall2 phase 2.
Dec 15 15:37:26 elastic systemd[1]: Stopping SuSEfirewall2 phase 2...
Dec 15 15:37:26 elastic SuSEfirewall2[26607]: Firewall rules unloaded.
Dec 15 15:37:26 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 15 15:37:26 elastic SuSEfirewall2[26652]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 15 15:37:26 elastic SuSEfirewall2[26652]: using default zone 'ext' for interface eth0
Dec 15 15:37:27 elastic SuSEfirewall2[26652]: Firewall rules successfully set
Dec 15 15:37:27 elastic systemd[1]: Started SuSEfirewall2 phase 2.
Dec 15 15:40:11 elastic systemd[1]: Stopped SuSEfirewall2 phase 2.
Dec 15 15:40:11 elastic SuSEfirewall2[21128]: Not unloading firewall rules at system shutdown
Dec 15 15:40:11 elastic systemd[1]: Stopping SuSEfirewall2 phase 1...
Dec 15 15:40:11 elastic systemd[1]: Stopped SuSEfirewall2 phase 1.
Dec 15 15:40:35 elastic systemd[1]: Starting SuSEfirewall2 phase 1...
Dec 15 15:40:36 elastic SuSEfirewall2[1278]: Firewall rules set to CLOSE.
Dec 15 15:40:36 elastic systemd[1]: Started SuSEfirewall2 phase 1.
Dec 15 15:40:42 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 15 15:40:42 elastic SuSEfirewall2[1876]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 15 15:40:42 elastic SuSEfirewall2[1876]: using default zone 'ext' for interface eth0
Dec 15 15:40:43 elastic SuSEfirewall2[1876]: Firewall rules successfully set
Dec 15 15:40:43 elastic systemd[1]: Started SuSEfirewall2 phase 2.
Dec 15 16:13:24 elastic SuSEfirewall2[14822]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 15 16:13:24 elastic SuSEfirewall2[14822]: using default zone 'ext' for interface eth0
Dec 15 16:13:25 elastic SuSEfirewall2[14822]: Firewall rules successfully set
Dec 15 16:19:09 elastic SuSEfirewall2[16751]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 15 16:19:09 elastic SuSEfirewall2[16751]: using default zone 'ext' for interface eth0
Dec 15 16:19:10 elastic SuSEfirewall2[16751]: Firewall rules successfully set
Dec 16 11:16:28 elastic SuSEfirewall2[7656]: Not unloading firewall rules at system shutdown
Dec 16 11:16:28 elastic systemd[1]: Stopped SuSEfirewall2 phase 2.
Dec 16 11:16:30 elastic systemd[1]: Stopping SuSEfirewall2 phase 1...
Dec 16 11:16:30 elastic systemd[1]: Stopped SuSEfirewall2 phase 1.
Dec 16 11:16:53 elastic SuSEfirewall2[1318]: Firewall rules set to CLOSE.
Dec 16 11:16:53 elastic systemd[1]: Started SuSEfirewall2 phase 1.
Dec 16 11:16:59 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 16 11:16:59 elastic SuSEfirewall2[1891]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 16 11:16:59 elastic SuSEfirewall2[1891]: using default zone 'ext' for interface eth0
Dec 16 11:17:00 elastic SuSEfirewall2[1891]: Firewall rules successfully set
Dec 16 11:17:00 elastic systemd[1]: Started SuSEfirewall2 phase 2.
Dec 16 12:12:04 elastic systemd[1]: Stopping SuSEfirewall2 phase 2...
Dec 16 12:12:04 elastic SuSEfirewall2[13838]: Firewall rules unloaded.
Dec 16 12:12:04 elastic systemd[1]: Stopped SuSEfirewall2 phase 2.
Dec 16 12:12:04 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 16 12:12:04 elastic SuSEfirewall2[13896]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 16 12:12:05 elastic SuSEfirewall2[13896]: Firewall rules successfully set
Dec 16 12:12:05 elastic systemd[1]: Started SuSEfirewall2 phase 2.
Dec 16 12:14:13 elastic systemd[1]: Stopping SuSEfirewall2 phase 2...
Dec 16 12:14:13 elastic SuSEfirewall2[15968]: Firewall rules unloaded.
Dec 16 12:14:13 elastic systemd[1]: Stopped SuSEfirewall2 phase 2.
Dec 16 12:14:13 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 16 12:14:14 elastic SuSEfirewall2[16026]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 16 12:14:15 elastic SuSEfirewall2[16026]: Firewall rules successfully set
Dec 16 12:14:15 elastic systemd[1]: Started SuSEfirewall2 phase 2.
Dec 16 12:14:58 elastic systemd[1]: Stopping SuSEfirewall2 phase 2...
Dec 16 12:14:58 elastic SuSEfirewall2[17939]: Firewall rules unloaded.
Dec 16 12:14:58 elastic systemd[1]: Stopped SuSEfirewall2 phase 2.
Dec 16 12:14:58 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 16 12:14:58 elastic SuSEfirewall2[17997]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 16 12:14:59 elastic SuSEfirewall2[17997]: Firewall rules successfully set
Dec 16 12:14:59 elastic systemd[1]: Started SuSEfirewall2 phase 2.
Dec 16 12:16:06 elastic systemd[1]: Stopping SuSEfirewall2 phase 2...
Dec 16 12:16:06 elastic SuSEfirewall2[20164]: Firewall rules unloaded.
Dec 16 12:16:06 elastic systemd[1]: Stopped SuSEfirewall2 phase 2.
Dec 16 12:16:06 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 16 12:16:06 elastic SuSEfirewall2[20222]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 16 12:16:07 elastic SuSEfirewall2[20222]: Firewall rules successfully set
Dec 16 12:16:07 elastic systemd[1]: Started SuSEfirewall2 phase 2.
Dec 16 12:17:27 elastic systemd[1]: Stopping SuSEfirewall2 phase 2...
Dec 16 12:17:27 elastic SuSEfirewall2[22424]: Firewall rules unloaded.
Dec 16 12:17:27 elastic systemd[1]: Stopped SuSEfirewall2 phase 2.
Dec 16 12:17:27 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 16 12:17:27 elastic SuSEfirewall2[22482]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 16 12:17:28 elastic SuSEfirewall2[22482]: Firewall rules successfully set
Dec 16 12:17:28 elastic systemd[1]: Started SuSEfirewall2 phase 2.
Dec 16 12:20:15 elastic systemd[1]: Stopping SuSEfirewall2 phase 2...
Dec 16 12:20:15 elastic SuSEfirewall2[25315]: Firewall rules unloaded.
Dec 16 12:20:15 elastic systemd[1]: Stopped SuSEfirewall2 phase 2.
Dec 16 12:20:15 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 16 12:20:15 elastic SuSEfirewall2[25373]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 16 12:20:16 elastic SuSEfirewall2[25373]: Firewall rules successfully set
Dec 16 12:20:16 elastic systemd[1]: Started SuSEfirewall2 phase 2.
Dec 16 12:21:06 elastic systemd[1]: Stopping SuSEfirewall2 phase 2...
Dec 16 12:21:06 elastic SuSEfirewall2[27711]: Firewall rules unloaded.
Dec 16 12:21:06 elastic systemd[1]: Stopped SuSEfirewall2 phase 2.
Dec 16 12:21:06 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 16 12:21:06 elastic SuSEfirewall2[27769]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 16 12:21:07 elastic SuSEfirewall2[27769]: Firewall rules successfully set
Dec 16 12:21:07 elastic systemd[1]: Started SuSEfirewall2 phase 2.
Dec 16 12:22:41 elastic systemd[1]: Stopping SuSEfirewall2 phase 2...
Dec 16 12:22:41 elastic SuSEfirewall2[30513]: Firewall rules unloaded.
Dec 16 12:22:41 elastic systemd[1]: Stopped SuSEfirewall2 phase 2.
Dec 16 12:22:41 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 16 12:22:42 elastic SuSEfirewall2[30572]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 16 12:22:42 elastic SuSEfirewall2[30572]: Firewall rules successfully set
Dec 16 12:22:42 elastic systemd[1]: Started SuSEfirewall2 phase 2.
Dec 16 12:26:26 elastic systemd[1]: Stopping SuSEfirewall2 phase 2...
Dec 16 12:26:26 elastic SuSEfirewall2[1249]: Firewall rules unloaded.
Dec 16 12:26:26 elastic systemd[1]: Stopped SuSEfirewall2 phase 2.
Dec 16 12:26:26 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 16 12:26:26 elastic SuSEfirewall2[1308]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 16 12:26:27 elastic SuSEfirewall2[1308]: Firewall rules successfully set
Dec 16 12:26:27 elastic systemd[1]: Started SuSEfirewall2 phase 2.
Dec 16 12:29:00 elastic systemd[1]: Stopping SuSEfirewall2 phase 2...
Dec 16 12:29:00 elastic SuSEfirewall2[5138]: Firewall rules unloaded.
Dec 16 12:29:00 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 16 12:29:00 elastic SuSEfirewall2[5183]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 16 12:29:01 elastic SuSEfirewall2[5183]: Firewall rules successfully set
Dec 16 12:29:01 elastic systemd[1]: Started SuSEfirewall2 phase 2.
Dec 16 12:32:58 elastic systemd[1]: Stopping SuSEfirewall2 phase 2...
Dec 16 12:32:58 elastic SuSEfirewall2[6649]: Firewall rules unloaded.
Dec 16 12:32:58 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 16 12:32:58 elastic SuSEfirewall2[6694]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 16 12:32:59 elastic SuSEfirewall2[6694]: Firewall rules successfully set
Dec 16 12:32:59 elastic systemd[1]: Started SuSEfirewall2 phase 2.
Dec 16 12:40:25 elastic systemd[1]: Stopping SuSEfirewall2 phase 2...
Dec 16 12:40:25 elastic SuSEfirewall2[8797]: Firewall rules unloaded.
Dec 16 12:40:25 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 16 12:40:25 elastic SuSEfirewall2[8842]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 16 12:40:26 elastic SuSEfirewall2[8842]: Firewall rules successfully set
Dec 16 12:40:26 elastic systemd[1]: Started SuSEfirewall2 phase 2.
Dec 29 12:50:09 elastic sudo[5225]: elastic : TTY=pts/0 ; PWD=/home/elastic ; USER=root ; COMMAND=/usr/bin/nano /etc/sysconfig/SuSEfirewall2
Dec 29 12:50:48 elastic systemd[1]: Stopping SuSEfirewall2 phase 2...
Dec 29 12:50:48 elastic SuSEfirewall2[5388]: Not unloading firewall rules at system shutdown
Dec 29 12:50:48 elastic systemd[1]: Stopped SuSEfirewall2 phase 2.
Dec 29 12:50:50 elastic systemd[1]: Stopping SuSEfirewall2 phase 1...
Dec 29 12:50:50 elastic systemd[1]: Stopped SuSEfirewall2 phase 1.
Dec 29 13:03:10 elastic SuSEfirewall2[1456]: Firewall rules set to CLOSE.
Dec 29 13:03:10 elastic systemd[1]: Started SuSEfirewall2 phase 1.
Dec 29 13:03:31 elastic systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 29 13:03:31 elastic SuSEfirewall2[2070]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 29 13:03:44 elastic SuSEfirewall2[2070]: Firewall rules successfully set
Dec 29 13:03:44 elastic systemd[1]: Started SuSEfirewall2 phase 2.
Any idea?

Thank you.

Last edited by hack3rcon; 12-30-2018 at 02:50 AM.
 
Old 12-30-2018, 03:17 AM   #2
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 12,256

Rep: Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789
in general a basic/default installation of any distro and tools like apache/elasticsearch/whatever is unsafe. You must learn to configure them. Without configuration, just by using a default settings they are more or less useless. So learn what you work with.
 
Old 12-30-2018, 06:59 AM   #3
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by pan64 View Post
in general a basic/default installation of any distro and tools like apache/elasticsearch/whatever is unsafe. You must learn to configure them. Without configuration, just by using a default settings they are more or less useless. So learn what you work with.
Can I request just show advice? I searched in the internet but it is my question and I want to know is it an attack?
 
Old 12-30-2018, 10:08 AM   #4
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 12,256

Rep: Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789
yes, you can. But first please read the guidelines (LQ rules). And please specify your problem accurately. http://catb.org/~esr/faqs/smart-ques...html#beprecise
And, yes, if we will know how your system was set/installed/configured, we may give you some advice to improve and/or to go further. Otherwise it is you, only you who knows what's happening. With other words what you posted means nothing.
 
1 members found this post helpful.
Old 12-30-2018, 10:15 AM   #5
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 21,146

Rep: Reputation: 5364Reputation: 5364Reputation: 5364Reputation: 5364Reputation: 5364Reputation: 5364Reputation: 5364Reputation: 5364Reputation: 5364Reputation: 5364Reputation: 5364
Quote:
Originally Posted by hack3rcon View Post
Can I request just show advice? I searched in the internet but it is my question and I want to know is it an attack?
You come to a community forum for advice, and are complaining you don't get EXACTLY what you want?? That's fairly rude. Add to that the fact that most of your posts show little to no effort of your own, as this one does.

pan64 gave excellent advice; you have thrown things on to a server, and have left all the defaults in place. It is now up to *YOU* to learn how to configure them to meet your needs. As said, we can help you with specific questions, but do you expect us to type up step-by-step guides for you? If you are unhappy with the answers you're getting here, there are MANY other forums you can go to.
 
1 members found this post helpful.
Old 12-30-2018, 10:21 AM   #6
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: None, just FreeBSD
Posts: 735

Rep: Reputation: Disabled
Is this system exposed to the Internet, in other words, are there firewall rules that allow INBOUND traffic to this host?

Last edited by sevendogsbsd; 12-30-2018 at 10:23 AM.
 
1 members found this post helpful.
Old 12-30-2018, 10:45 AM   #7
Sauerland
Member
 
Registered: Jul 2017
Posts: 32

Rep: Reputation: Disabled
Quote:
If you are unhappy with the answers you're getting here, there are MANY other forums you can go to.
That was done before he posted here:
https://forums.opensuse.org/showthre...penSUSE-did-it
 
1 members found this post helpful.
Old 12-30-2018, 11:44 AM   #8
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 12,256

Rep: Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789
additionally it looks like you downloaded a script from somewhere and posted its output, but forgot to tell us. How on earth could you think it will work this way?
 
1 members found this post helpful.
Old 12-30-2018, 02:37 PM   #9
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by sevendogsbsd View Post
Is this system exposed to the Internet, in other words, are there firewall rules that allow INBOUND traffic to this host?
Yes. I just allowed default Elasticsearch and Kibana ports. Can this captured file mean someone was root on my system? Or just used Elastichsearch and Kibana for attack?
 
Old 12-31-2018, 04:12 AM   #10
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 12,256

Rep: Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789Reputation: 3789
see post #4, what you posted is useless. That information does not mean anything. Especially without background information (or context).
this link is not a joke: be precise
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Whats happened in my Mandriva?I cant get in!! mrwoggle Linux - Newbie 3 04-29-2009 01:48 PM
whats happened to my mozilla,its crashing again and again, divyashree Linux - Software 5 04-06-2008 10:20 PM
What happened to my system bell? stardotstar Linux - Hardware 2 04-11-2006 08:31 PM
Whats happened mulberry Debian 3 09-30-2004 09:01 AM
WTF happened to my system?? Boom Linux - Newbie 5 01-29-2003 02:09 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > SUSE / openSUSE

All times are GMT -5. The time now is 01:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration