Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 26th October 2010, 21:52
kresser kresser is offline
Junior Member
 
Join Date: Jan 2010
Posts: 23
Thanks: 0
Thanked 4 Times in 4 Posts
Exclamation Being Spammed/Hacked/Probed not sure PLEASE HELP!

I am really concerned as I have quite a few clients on an ISP config server and honestly I'm a little fresh when it comes to dealing with Internet vandals, maintenance and building I'm fine but I'm not real keen on how to protect. I've built several ISP config servers and this is the first time I've been getting attacked, so I think. Fail2ban has been repeatedly blocking IP addresses with the word SSH next to the IP address which I'm assuming means I've had repeated failed SSH login attempts.

I have been taking all of those IP addresses that show up and creating an individual firewall rule to reject communication. I have looked at some of my individual site records and found where what looks like someone has been probing for my PHPmyadmin management pages,as well as other Internet configuration and management pages.

I am also seeing tons of communication from spamming sites in foreign countries such as Germany, Russia, Belgium, and many many more.

Here recently many of my users across all of my virtual domains have been experiencing " 500 error, internal server error" mostly through my e-mail client roundcube, I run that as well as squirrel mail, PHPmyadmin and all the basic tools used in the Debian Lenny "the perfect server how to".

I really need some assistance in figuring out a proactive way to stop communication with the sites, may be blacklisting the domains and the proper way to restrict these addresses. I have found where to blacklist e-mail accounts, however I don't see such a tool to block domains.

It would be cool if someone could share with me how to implement a script where after a certain number of repeated communication attempts through different channels such as SSH or unauthorized SSL or username probing that that particular client would be blocked permanently from communication.

I am including some of the log files so maybe someone can help me make sense of this. The IP addresses included in the logs are not any of my personal addresses for this platform.

The Main reason I need help others than the clarification on the log files and what to do is what's going on with the internal server error 500. I need to get rid of that where my clients stop having problems. here are the log files and where they came from.

"mail warn-log"
Quote:
Sep 25 06:52:33 messiah postfix/smtpd[3925]: warning: 173.236.34.70: address not listed for hostname ns1.bitlocal.com
Sep 25 06:52:34 messiah postfix/smtpd[3925]: warning: unknown[173.236.34.70]: SASL LOGIN authentication failed: authentication failure
Sep 25 06:52:34 messiah postfix/smtpd[3925]: warning: 173.236.34.70: address not listed for hostname ns1.bitlocal.com
Sep 25 06:52:35 messiah postfix/smtpd[3925]: warning: unknown[173.236.34.70]: SASL LOGIN authentication failed: authentication failure
Sep 25 06:52:35 messiah postfix/smtpd[3925]: warning: 173.236.34.70: address not listed for hostname ns1.bitlocal.com
Sep 25 06:52:36 messiah postfix/smtpd[3925]: warning: unknown[173.236.34.70]: SASL LOGIN authentication failed: authentication failure
Sep 25 06:52:36 messiah postfix/smtpd[3925]: warning: 173.236.34.70: address not listed for hostname ns1.bitlocal.com
Sep 25 06:52:38 messiah postfix/smtpd[3925]: warning: unknown[173.236.34.70]: SASL LOGIN authentication failed: authentication failure
Sep 25 06:52:38 messiah postfix/smtpd[3925]: warning: 173.236.34.70: address not listed for hostname ns1.bitlocal.com
Sep 25 06:52:39 messiah postfix/smtpd[3925]: warning: unknown[173.236.34.70]: SASL LOGIN authentication failed: authentication failure
Sep 25 06:52:39 messiah postfix/smtpd[3925]: warning: 173.236.34.70: address not listed for hostname ns1.bitlocal.com
Sep 25 06:52:40 messiah postfix/smtpd[3925]: warning: unknown[173.236.34.70]: SASL LOGIN authentication failed: authentication failure
Sep 25 06:52:40 messiah postfix/smtpd[3925]: warning: 173.236.34.70: address not listed for hostname ns1.bitlocal.com
Sep 25 06:52:41 messiah postfix/smtpd[3925]: warning: unknown[173.236.34.70]: SASL LOGIN authentication failed: authentication failure
Sep 25 06:52:41 messiah postfix/smtpd[3925]: warning: 173.236.34.70: address not listed for hostname ns1.bitlocal.com
Sep 25 06:52:42 messiah postfix/smtpd[3925]: warning: unknown[173.236.34.70]: SASL LOGIN authentication failed: authentication failure
Sep 25 06:52:42 messiah postfix/smtpd[3925]: warning: 173.236.34.70: address not listed for hostname ns1.bitlocal.com
Sep 25 06:52:46 messiah postfix/smtpd[3925]: warning: unknown[173.236.34.70]: SASL LOGIN authentication failed: authentication failure
Sep 25 06:52:46 messiah postfix/smtpd[3925]: warning: 173.236.34.70: address not listed for hostname ns1.bitlocal.com
Sep 25 09:45:00 messiah postfix/smtpd[5567]: warning: 64.206.180.28: address not listed for hostname COLLEGEROADTRIP.NET
Sep 26 10:01:29 messiah postfix/smtpd[22470]: warning: 64.206.180.32: address not listed for hostname EDUCATIONDECATHLON.NET
Sep 26 13:56:00 messiah postfix/master[32730]: warning: master_spawn: fork: Cannot allocate memory -- throttling
Sep 26 19:05:01 messiah postfix/master[32730]: warning: master_spawn: fork: Cannot allocate memory -- throttling
Sep 29 13:36:29 messiah postfix/smtpd[32035]: warning: TLS library problem: 32035:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1053:SSL alert number 48:
Sep 30 20:45:37 messiah postfix/smtpd[22042]: warning: 74.82.216.23: hostname mx1.COMPSENSELIVE.COM verification failed: Name or service not known
Oct 1 09:49:22 messiah pop3d: Maximum connection limit reached for ::ffff:78.188.11.52
Oct 1 09:49:22 messiah pop3d: Maximum connection limit reached for ::ffff:78.188.11.52
Oct 4 05:38:44 messiah pop3d: Maximum connection limit reached for ::ffff:173.10.255.154
Oct 4 05:38:45 messiah last message repeated 11 times
Oct 4 22:22:00 messiah postfix/smtpd[3527]: warning: rrcs-67-78-121-115.sw.biz.rr.com[67.78.121.115]: SASL LOGIN authentication failed: authentication failure
Oct 5 03:42:53 messiah postfix/smtpd[26033]: warning: rrcs-67-78-121-115.sw.biz.rr.com[67.78.121.115]: SASL LOGIN authentication failed: authentication failure
Oct 8 10:02:34 messiah postfix/smtpd[3441]: warning: 208.67.183.45: hostname host.gravitydeal.com verification failed: Name or service not known
Oct 12 05:38:12 messiah postfix/smtpd[2015]: warning: 69.175.64.132: address not listed for hostname srv1.clickregionalsadv.com
Oct 12 05:38:12 messiah postfix/smtpd[2015]: warning: 69.175.64.132: address not listed for hostname srv1.clickregionalsadv.com
Oct 20 09:53:33 messiah postfix/smtpd[30042]: warning: 24.106.95.18: hostname strongmail.schaeffer.com verification failed: Name or service not known
Oct 21 19:46:36 messiah postfix/smtpd[25989]: warning: 207.126.80.124: address not listed for hostname jersey.educateuniversity.com
Oct 21 21:30:11 messiah postfix/smtpd[1635]: warning: 173.232.50.71: address not listed for hostname dominicanrepublic.dealsposts.com
Oct 22 06:46:37 messiah postfix/smtpd[10124]: warning: unknown[219.232.243.172]: SASL LOGIN authentication failed: authentication failure
Oct 22 06:46:43 messiah last message repeated 3 times
Oct 22 12:01:59 messiah postfix/master[32404]: warning: master_spawn: fork: Cannot allocate memory -- throttling
Oct 22 13:15:40 messiah postfix/smtpd[22296]: warning: 173.232.50.35: address not listed for hostname bouvetisland.dealsposts.com
Oct 22 14:00:18 messiah postfix/master[32404]: warning: master_spawn: fork: Cannot allocate memory -- throttling
Oct 22 14:05:45 messiah postfix/smtpd[19780]: warning: 207.126.80.23: address not listed for hostname bangladesh.educateuniversity.com
Oct 22 14:17:45 messiah postfix/smtpd[25634]: warning: unknown[219.232.243.172]: SASL LOGIN authentication failed: authentication failure
Oct 22 14:17:57 messiah last message repeated 7 times
Oct 22 18:31:50 messiah postfix/smtpd[15632]: warning: 207.126.80.35: address not listed for hostname bouvetisland.educateuniversity.com
Oct 22 20:02:25 messiah amavis[19565]: (19565-08) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66, line 25624. at /usr/sbin/amavisd-new line 2892, line 25624.
Oct 22 20:02:25 messiah amavis[19565]: (19565-08) (!)PRESERVING EVIDENCE in /var/lib/amavis/tmp/amavis-20101022T182026-19565
Oct 23 05:04:01 messiah postfix/smtpd[13948]: warning: unknown[219.232.243.172]: SASL LOGIN authentication failed: authentication failure
Oct 23 05:04:15 messiah last message repeated 8 times
Oct 23 05:08:02 messiah postfix/smtpd[24301]: warning: unknown[219.232.243.172]: SASL LOGIN authentication failed: authentication failure
Oct 23 05:08:14 messiah last message repeated 8 times
Oct 23 07:30:30 messiah postfix/smtpd[22020]: warning: 207.126.80.150: address not listed for hostname marshallislands.educateuniversity.com
Oct 23 08:05:00 messiah amavis[25958]: (25958-09) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66, line 1570. at /usr/sbin/amavisd-new line 2892, line 1570.
Oct 23 08:05:00 messiah amavis[25958]: (25958-09) (!)PRESERVING EVIDENCE in /var/lib/amavis/tmp/amavis-20101023T041452-25958
Oct 23 10:21:37 messiah postfix/smtpd[1505]: warning: 173.232.75.170: address not listed for hostname newzealand.degreeroots.com
Oct 23 10:49:39 messiah postfix/smtpd[15946]: warning: 207.126.76.182: address not listed for hostname papuanewguinea.degreenewsletter.com
Oct 23 11:06:08 messiah postfix/smtpd[23773]: warning: 184.82.91.221: address not listed for hostname svalbard.educateaccess.com
Oct 23 11:19:42 messiah postfix/smtpd[28567]: warning: 67.143.173.11: hostname host671430011173.direcway.com verification failed: Name or service not known
Oct 23 12:11:08 messiah postfix/smtpd[5140]: warning: 207.126.83.134: address not listed for hostname latvia.guidegetup.com
Oct 23 14:00:13 messiah postfix/smtpd[28219]: warning: 207.126.80.217: address not listed for hostname spratlyislands.educateuniversity.com
Oct 23 14:21:50 messiah postfix/smtpd[3401]: warning: 207.126.68.39: address not listed for hostname brunei.chimiesecondspeedup.com
Oct 23 14:34:57 messiah postfix/smtpd[3853]: warning: 207.126.81.144: address not listed for hostname madagascar.fondpauseutilities.com
Oct 23 14:55:37 messiah postfix/smtpd[28134]: warning: 209.135.0.17: address not listed for hostname ashmoreandcartierislands.investforfamily.com
Oct 23 15:45:50 messiah postfix/smtpd[26511]: warning: 173.232.50.132: address not listed for hostname kyrgyzstan.dealsposts.com
Oct 23 16:10:20 messiah postfix/smtpd[19865]: warning: 184.82.90.236: address not listed for hostname tunisia.deliveryschool.com
Oct 23 18:03:05 messiah postfix/smtpd[17899]: warning: 173.232.75.243: address not listed for hostname unitedarabemirates.degreeroots.com
Oct 23 18:49:25 messiah postfix/smtpd[5796]: warning: 173.232.49.186: address not listed for hostname philippines.componentnetworks.com
Oct 23 22:02:53 messiah postfix/smtpd[13450]: warning: 184.82.91.8: address not listed for hostname angola.educateaccess.com
Oct 24 09:00:35 messiah postfix/smtpd[30152]: warning: 173.232.49.249: address not listed for hostname vietnam.componentnetworks.com
Oct 24 09:20:36 messiah postfix/smtpd[11301]: warning: 207.126.80.28: address not listed for hostname belize.educateuniversity.com
Oct 24 10:24:04 messiah postfix/smtpd[17844]: warning: 173.232.50.69: address not listed for hostname djibouti.dealsposts.com
Oct 24 10:50:17 messiah postfix/smtpd[22406]: warning: 173.232.75.102: address not listed for hostname guernsey.degreeroots.com
Oct 24 11:12:36 messiah postfix/smtpd[9640]: warning: 64.191.42.21: address not listed for hostname bahamas.cashforschooling.com
Oct 24 11:35:24 messiah postfix/smtpd[19688]: warning: 209.135.0.208: address not listed for hostname sierraleone.investforfamily.com
Oct 24 11:37:30 messiah postfix/smtpd[30032]: warning: 184.82.91.182: address not listed for hostname papuanewguinea.educateaccess.com
Oct 24 12:16:52 messiah postfix/smtpd[5412]: warning: 207.126.78.116: address not listed for hostname iraq.easyprofessionals.com
Oct 24 14:05:56 messiah postfix/smtpd[24313]: warning: 207.126.83.71: address not listed for hostname dominicanrepublic.guidegetup.com
Oct 24 16:35:51 messiah postfix/smtpd[6070]: warning: 173.232.75.99: address not listed for hostname guadeloupe.degreeroots.com
Oct 24 20:32:37 messiah postfix/smtpd[1401]: warning: non-SMTP command from 118-167-11-217.dynamic.hinet.net[118.167.11.217]: GET http://www.scanproxy.com:80/p-25.html HTTP/1.0
Oct 24 20:32:37 messiah postfix/smtpd[1404]: warning: non-SMTP command from 118-167-11-217.dynamic.hinet.net[118.167.11.217]: GET http://www.scanproxy.com:80/p-25.html HTTP/1.0
Oct 25 09:31:23 messiah postfix/smtpd[16071]: warning: 207.126.80.64: address not listed for hostname cuba.educateuniversity.com
Oct 25 10:54:40 messiah postfix/smtpd[12187]: warning: 209.135.0.121: address not listed for hostname jamaica.investforfamily.com
Oct 25 10:59:45 messiah postfix/smtpd[26266]: warning: 207.126.76.110: address not listed for hostname hongkong.degreenewsletter.com
Oct 25 11:35:38 messiah postfix/smtpd[1675]: warning: 173.232.49.95: address not listed for hostname gloriosoislands.componentnetworks.com
Oct 25 11:53:24 messiah postfix/smtpd[22294]: warning: 173.232.50.227: address not listed for hostname tajikistan.dealsposts.com
Oct 25 12:05:24 messiah postfix/smtpd[10222]: warning: 207.126.83.152: address not listed for hostname mauritania.guidegetup.com
Oct 25 12:11:53 messiah postfix/smtpd[30690]: warning: 173.232.75.64: address not listed for hostname cuba.degreeroots.com
Oct 25 14:00:22 messiah postfix/smtpd[30404]: warning: 207.126.81.158: address not listed for hostname monaco.fondpauseutilities.com
Oct 25 16:39:43 messiah postfix/smtpd[28501]: warning: 173.232.75.95: address not listed for hostname gloriosoislands.degreeroots.com
Oct 25 19:00:08 messiah postfix/local[7758]: warning: fork: Cannot allocate memory
Oct 25 19:00:08 messiah postfix/master[32404]: warning: master_spawn: fork: Cannot allocate memory -- throttling
Oct 25 22:17:44 messiah postfix/smtpd[30399]: warning: 64.191.42.27: address not listed for hostname belgium.cashforschooling.com
Oct 26 08:03:02 messiah amavis[30266]: (30266-13) (!)rw_loop: leaving rw loop, no progress
Oct 26 08:03:02 messiah amavis[30266]: (30266-13) (!)FWD via SMTP: -> , 451 4.5.0 From MTA([127.0.0.1]:10025) during fwd-connect (Negative greeting: at (eval 84) line 555, line 6628.): id=30266-13
Oct 26 08:03:08 messiah amavis[30266]: (30266-13) (!)rw_loop: leaving rw loop, no progress
Oct 26 09:52:25 messiah postfix/smtpd[11301]: warning: 207.126.76.66: address not listed for hostname czechrepublic.degreenewsletter.com
Oct 26 10:03:57 messiah postfix/smtpd[29737]: warning: 173.232.49.59: address not listed for hostname cookislands.componentnetworks.com
Oct 26 10:10:17 messiah postfix/smtpd[15751]: warning: 173.232.75.36: address not listed for hostname brazil.degreeroots.com
Oct 26 11:05:56 messiah postfix/smtpd[27926]: warning: 209.135.0.188: address not listed for hostname poland.investforfamily.com
"fail2ban" - There is close to 100 of these over the last week
Quote:
2010-10-24 04:14:42,808 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2010-10-24 04:14:42,809 fail2ban.jail : INFO Creating new jail 'ssh'
2010-10-24 04:14:42,809 fail2ban.jail : INFO Jail 'ssh' uses poller
2010-10-24 04:14:42,810 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2010-10-24 04:14:42,810 fail2ban.filter : INFO Set maxRetry = 6
2010-10-24 04:14:42,811 fail2ban.filter : INFO Set findtime = 600
2010-10-24 04:14:42,812 fail2ban.actions: INFO Set banTime = 600
2010-10-24 04:14:42,872 fail2ban.jail : INFO Jail 'ssh' started
2010-10-24 04:14:44,895 fail2ban.actions: WARNING [ssh] Ban 111.171.206.167
2010-10-24 04:24:44,902 fail2ban.actions: WARNING [ssh] Unban 111.171.206.167
2010-10-24 06:46:58,005 fail2ban.actions: WARNING [ssh] Ban 111.171.206.167
2010-10-24 06:56:58,888 fail2ban.actions: WARNING [ssh] Unban 111.171.206.167
2010-10-24 08:16:59,866 fail2ban.actions: WARNING [ssh] Ban 111.171.206.167
2010-10-24 08:27:00,460 fail2ban.actions: WARNING [ssh] Unban 111.171.206.167
2010-10-24 11:33:00,403 fail2ban.actions: WARNING [ssh] Ban 113.12.94.87
2010-10-24 11:43:00,494 fail2ban.actions: WARNING [ssh] Unban 113.12.94.87
2010-10-24 19:00:49,672 fail2ban.actions: WARNING [ssh] Ban 219.153.49.151
2010-10-24 19:00:53,737 fail2ban.actions: WARNING [ssh] 219.153.49.151 already banned
2010-10-24 19:10:49,747 fail2ban.actions: WARNING [ssh] Unban 219.153.49.151
2010-10-25 00:26:05,525 fail2ban.actions: WARNING [ssh] Ban 113.12.94.87
2010-10-25 00:36:05,853 fail2ban.actions: WARNING [ssh] Unban 113.12.94.87
2010-10-25 03:04:20,733 fail2ban.actions: WARNING [ssh] Ban 113.12.94.87
2010-10-25 03:14:20,738 fail2ban.actions: WARNING [ssh] Unban 113.12.94.87
2010-10-25 04:14:49,543 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2010-10-25 15:46:16,913 fail2ban.actions: WARNING [ssh] Ban 222.73.163.21
2010-10-25 15:56:17,762 fail2ban.actions: WARNING [ssh] Unban 222.73.163.21
2010-10-26 12:15:28,444 fail2ban.actions: WARNING [ssh] Ban 61.135.88.47
2010-10-26 12:15:41,584 fail2ban.actions: WARNING [ssh] 61.135.88.47 already banned
2010-10-26 12:15:42,584 fail2ban.actions: WARNING [ssh] 61.135.88.47 already banned
2010-10-26 12:25:28,588 fail2ban.actions: WARNING [ssh] Unban 61.135.88.47
2010-10-26 12:44:26,603 fail2ban.actions: WARNING [ssh] Ban 180.70.116.110
2010-10-26 12:54:26,610 fail2ban.actions: WARNING [ssh] Unban 180.70.116.110
Site error log - note the config page errors, I never tried to get into management pages through this domain and as a matter of fact their blocked, is someone probing??
Quote:
19 16:26:04 2010] [error] [client 99.198.52.181] File does not exist: /var/www/3ezbids.com/web/favicon.ico
[Sun Sep 19 16:27:55 2010] [error] [client 99.198.52.181] File does not exist: /var/www/3ezbids.com/web/favicon.ico
[Sun Sep 19 16:28:00 2010] [error] [client 99.198.52.181] File does not exist: /var/www/3ezbids.com/web/favicon.ico
[Sun Sep 19 16:28:12 2010] [error] [client 99.198.52.181] File does not exist: /var/www/3ezbids.com/web/favicon.ico
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/mysql
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/phpmyadmin
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/pma
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/scripts
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/phpmyadmin, referer: 173.212.254.49
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/phpmyadmin
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/mysql, referer: 173.212.254.49
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/phpmyadmin, referer: 173.212.254.49
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/pma, referer: 173.212.254.49
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/mysql
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin, referer: 173.212.254.49
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/scripts, referer: 173.212.254.49
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/pma
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/mysql, referer: 173.212.254.49
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/scripts
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/pma, referer: 173.212.254.49
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin, referer: 173.212.254.49
[Sun Sep 19 17:08:32 2010] [error] [client 64.15.159.169] File does not exist: /var/www/3ezbids.com/web/scripts, referer: 173.212.254.49
[Sun Sep 19 17:58:50 2010] [error] [client 99.198.52.181] File does not exist: /var/www/3ezbids.com/web/favicon.ico
[Sun Sep 19 19:48:19
More for the same site, I used net tools to check the ip's and they are coming from Germany and Russia mostly, whats going on??


Quote:
/var/www/3ezbids.com/web/favicon.ico
[Thu Sep 23 06:44:14 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/w00tw00t.at.blackhats.romanian.anti-sec
[Thu Sep 23 06:44:15 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/scripts
[Thu Sep 23 06:44:15 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/admin
[Thu Sep 23 06:44:16 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/admin
[Thu Sep 23 06:44:16 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/admin
[Thu Sep 23 06:44:17 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/db
[Thu Sep 23 06:44:17 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/dbadmin
[Thu Sep 23 06:44:17 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/myadmin
[Thu Sep 23 06:44:18 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/mysql
[Thu Sep 23 06:44:18 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/mysqladmin
[Thu Sep 23 06:44:19 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/typo3
[Thu Sep 23 06:44:19 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpadmin
[Thu Sep 23 06:44:19 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin
[Thu Sep 23 06:44:20 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpmyadmin
[Thu Sep 23 06:44:20 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpmyadmin1
[Thu Sep 23 06:44:21 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpmyadmin2
[Thu Sep 23 06:44:21 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/pma
[Thu Sep 23 06:44:21 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/web
[Thu Sep 23 06:44:22 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/xampp
[Thu Sep 23 06:44:22 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/web
[Thu Sep 23 06:44:23 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/php-my-admin
[Thu Sep 23 06:44:23 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/websql
[Thu Sep 23 06:44:23 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpmyadmin
[Thu Sep 23 06:44:24 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin
[Thu Sep 23 06:44:24 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2
[Thu Sep 23 06:44:25 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/php-my-admin
[Thu Sep 23 06:44:25 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.2.3
[Thu Sep 23 06:44:25 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.2.6
[Thu Sep 23 06:44:26 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.1
[Thu Sep 23 06:44:27 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.4
[Thu Sep 23 06:44:27 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.5-rc1
[Thu Sep 23 06:44:27 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.5-rc2
[Thu Sep 23 06:44:27 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.5
[Thu Sep 23 06:44:28 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.5-pl1
[Thu Sep 23 06:44:28 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.6-rc1
[Thu Sep 23 06:44:29 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.6-rc2
[Thu Sep 23 06:44:29 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.6
[Thu Sep 23 06:44:29 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.7
[Thu Sep 23 06:44:30 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.5.7-pl1
[Thu Sep 23 06:44:30 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0-alpha
[Thu Sep 23 06:44:31 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0-alpha2
[Thu Sep 23 06:44:31 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0-beta1
[Thu Sep 23 06:44:31 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0-beta2
[Thu Sep 23 06:44:32 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0-rc1
[Thu Sep 23 06:44:32 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0-rc2
[Thu Sep 23 06:44:33 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0-rc3
[Thu Sep 23 06:44:33 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0
[Thu Sep 23 06:44:33 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0-pl1
[Thu Sep 23 06:44:34 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0-pl2
[Thu Sep 23 06:44:34 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.0-pl3
[Thu Sep 23 06:44:35 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.1-rc1
[Thu Sep 23 06:44:35 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.1-rc2
[Thu Sep 23 06:44:35 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.1
[Thu Sep 23 06:44:36 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.1-pl1
[Thu Sep 23 06:44:36 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.1-pl2
[Thu Sep 23 06:44:37 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.1-pl3
[Thu Sep 23 06:44:37 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.2-rc1
[Thu Sep 23 06:44:37 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.2-beta1
[Thu Sep 23 06:44:38 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.2-rc1
[Thu Sep 23 06:44:38 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.2
[Thu Sep 23 06:44:39 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.2-pl1
[Thu Sep 23 06:44:39 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.3
[Thu Sep 23 06:44:39 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.3-rc1
[Thu Sep 23 06:44:40 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.3
[Thu Sep 23 06:44:40 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.3-pl1
[Thu Sep 23 06:44:41 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.4-rc1
[Thu Sep 23 06:44:41 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.4-pl1
[Thu Sep 23 06:44:41 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.4-pl2
[Thu Sep 23 06:44:42 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.4-pl3
[Thu Sep 23 06:44:42 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.4-pl4
[Thu Sep 23 06:44:43 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.6.4
[Thu Sep 23 06:44:43 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.7.0-beta1
[Thu Sep 23 06:44:43 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.7.0-rc1
[Thu Sep 23 06:44:44 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.7.0-pl1
[Thu Sep 23 06:44:45 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.7.0-pl2
[Thu Sep 23 06:44:45 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.7.0
[Thu Sep 23 06:44:45 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.0-beta1
[Thu Sep 23 06:44:45 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.0-rc1
[Thu Sep 23 06:44:46 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.0-rc2
[Thu Sep 23 06:44:46 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.0
[Thu Sep 23 06:44:47 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.0.1
[Thu Sep 23 06:44:47 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.0.2
[Thu Sep 23 06:44:47 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.0.3
[Thu Sep 23 06:44:47 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.0.4
[Thu Sep 23 06:44:48 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.1-rc1
[Thu Sep 23 06:44:48 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.1
[Thu Sep 23 06:44:49 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpMyAdmin-2.8.2
[Thu Sep 23 06:44:49 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/sqlmanager
[Thu Sep 23 06:44:49 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/mysqlmanager
[Thu Sep 23 06:44:50 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/p
[Thu Sep 23 06:44:50 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/PMA2005
[Thu Sep 23 06:44:51 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/pma2005
[Thu Sep 23 06:44:51 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpmanager
[Thu Sep 23 06:44:51 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/php-myadmin
[Thu Sep 23 06:44:52 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/phpmy-admin
[Thu Sep 23 06:44:52 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/webadmin
[Thu Sep 23 06:44:53 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/sqlweb
[Thu Sep 23 06:44:53 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/websql
[Thu Sep 23 06:44:53 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/webdb
[Thu Sep 23 06:44:54 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/mysqladmin
[Thu Sep 23 06:44:54 2010] [error] [client 72.11.128.37] File does not exist: /var/www/3ezbids.com/web/mysql-admin
[Thu Sep 23 08:26:56 2010] [error] [client 99.198.52.181] File does not exist:
Please help explain this and what to do, its happening all over my server and my clients that run businesses on this are having the 500 errors, for give me for being ignorant but you have to learn somehow right?
Reply With Quote
Sponsored Links
  #2  
Old 26th October 2010, 21:59
kresser kresser is offline
Junior Member
 
Join Date: Jan 2010
Posts: 23
Thanks: 0
Thanked 4 Times in 4 Posts
Default Proxy Servers...

I can see some of these people are using non-logging/private proxy servers and thats an indicator to me that they are up to no good......advice???
Reply With Quote
The Following User Says Thank You to kresser For This Useful Post:
AbannyvabVask (19th December 2013)
  #3  
Old 26th October 2010, 22:17
mini14 mini14 is offline
Member
 
Join Date: Oct 2010
Posts: 66
Thanks: 2
Thanked 3 Times in 3 Posts
Default

You can permanently block the offending IP numbers and even the class C that they are part of if you want to. Edit the file "pre-chain-split.sh" that's located in /etc/Bastille/firewall.d

Add lines like this to it...

iptables -A INPUT -s xx.xxx.xx.0/24 -j DROP
(blocks the class C)
iptables -A INPUT -s xx.xxx.xx.x -j DROP
(blocks the individual IP)

Then restart Bastille with /etc/init.d/bastille-firewall restart
Reply With Quote
  #4  
Old 28th October 2010, 20:00
kresser kresser is offline
Junior Member
 
Join Date: Jan 2010
Posts: 23
Thanks: 0
Thanked 4 Times in 4 Posts
Default Thank you but I still need a bunch of help

I appreciate that tip but is there anyone that can give me some insight as to what these logs are suggesting, I would appreciate a brief run through of what a professional administrator sees here. I am only an intermediate IT guy, I'm not very familiar with defending complex platforms, which I know sounds dumb but like I said you have to learn somehow right?

Also this is very important, I myself and all of my clients are receiving an "internal server error 500" every few days and I need to know if thats a separate problem and where to start on fixing it. I already removed all of the .htaccesss files in the site dirs thinking that was it but no luck.

AND one other important thing, I can only enable 1 SSL site in the configs, I have each site that needs SSL set up on a separate ip add but when I get the first working and I enable the second apache crashes and says "address already in use" cannot bind or something like that, if anyone could please help with these issues I would greatly appreciate it!
Reply With Quote
The Following User Says Thank You to kresser For This Useful Post:
AbannyvabVask (19th December 2013)
  #5  
Old 28th October 2010, 20:03
kresser kresser is offline
Junior Member
 
Join Date: Jan 2010
Posts: 23
Thanks: 0
Thanked 4 Times in 4 Posts
Default Actually ispconfig 3, not 2

My bad I put this in the wrong thread, I'm using ispconfig 3 not 2.....
Reply With Quote
  #6  
Old 29th October 2010, 15:47
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,745 Times in 2,578 Posts
Default

I wouldn't worry too much abouzt being probed - that's happening to EVERY server on the Internet. As long as you use fail2ban and secure passwords you should be fine.

Regarding the 500 server error: are there any errors in Apache's error log?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Tags
hacked, ispconfig 3, probed, probing, spam

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 11:41.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.