#1  
Old 13th February 2009, 21:13
stefanos stefanos is offline
Junior Member
 
Join Date: Nov 2008
Posts: 29
Thanks: 6
Thanked 1 Time in 1 Post
Default logwatch

Hi fellow friends,

I think I have a problem or a potential problem with my server I think. My logwatch looks like this:

I am concerned about durak.ru.mydomain.com Connection failure (outbound). I do not have such a domain name. My server should not have tried to make this outbound connection. Has my server been hacked? How can I trace where this came from on my server?

and the Connections lost After AUTH near the end of the log (220-132-164-157.HINET-IP.hinet.net) is this something to worry about?

I have also just installed fail2ban to combat the dovecot and the ssh hack attacks, I am assuming this is a dictionary attack and they have not gained access yet.

I am running Fedora core 9, perfect server. One other question I have is how often should I run yum update?

Kind Regards
Stephen


--------------------- pam_unix Begin ------------------------

dovecot:
Authentication Failures:
rhost=::ffff:200.36.53.7 : 129 Time(s)
root: 15 Time(s)
adm: 1 Time(s)
apache: 1 Time(s)
bin: 1 Time(s)
daemon: 1 Time(s)
ftp: 1 Time(s)
games: 1 Time(s)
gopher: 1 Time(s)
halt: 1 Time(s)
lp: 1 Time(s)
mail: 1 Time(s)
mailnull: 1 Time(s)
mysql: 1 Time(s)
named: 1 Time(s)
news: 1 Time(s)
nfsnobody: 1 Time(s)
nobody: 1 Time(s)
operator: 1 Time(s)
postfix: 1 Time(s)
postgres: 1 Time(s)
rpc: 1 Time(s)
rpcuser: 1 Time(s)
shutdown: 1 Time(s)
smmsp: 1 Time(s)
sshd: 1 Time(s)
sync: 1 Time(s)
uucp: 1 Time(s)
Unknown Entries:
check pass; user unknown: 129 Time(s)

smtp:
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= : 1 Time(s)
check pass; user unknown: 1 Time(s)

sshd:
Authentication Failures:
mysql (210.87.191.133): 42 Time(s)
root (123.233.245.226): 13 Time(s)
unknown (123.233.245.226): 2 Time(s)
root (202.108.29.8): 1 Time(s)
Invalid Users:
Unknown Account: 2 Time(s)
Sessions Opened:
smac: 6 Time(s)

su-l:
Sessions Opened:
smac(uid=500) -> root: 5 Time(s)


---------------------- pam_unix End -------------------------


--------------------- SSHD Begin ------------------------


Didn't receive an ident from these IPs:
210.87.191.133: 3 Time(s)

Failed logins from:
123.233.245.226: 13 times
root/password: 13 times
202.108.29.8: 1 time
root/password: 1 time
210.87.191.133: 42 times
mysql/password: 42 times

Illegal users from:
123.233.245.226: 2 times
oracle/password: 1 time
test/password: 1 time

Users logging in through sshd:
smac:
77.49.x.x (isp.net.gr): 2 times
77.49.x.x (isp.net.gr): 2 times
192.168.1.24: 2 times


Received disconnect:
11: Bye Bye
123.233.245.226 : 15 Time(s)
202.108.29.8 : 1 Time(s)
210.87.191.133 : 36 Time(s)

**Unmatched Entries**
Timeout, client not responding. : 4 time(s)

---------------------- SSHD End -------------------------

--------------------- Postfix Begin ------------------------

****** Summary ************************************************** ***********************************

1 SASL authentication failed

55.742K Bytes accepted 57,080
43.464K Bytes delivered 44,507
======== ================================================

17 Accepted 94.44%
1 Rejected 5.56%
-------- ------------------------------------------------
18 Total 100.00%
======== ================================================

1 Reject relay denied 100.00%
-------- ------------------------------------------------
1 Total Rejects 100.00%
======== ================================================

6 Connections made
4 Connections lost
6 Disconnections
3 Removed from queue
2 Sent via SMTP
1 Forwarded
14 Deferred
297 Deferrals

135 Connection failure (outbound)
2 TLS connections (server)
2 SASL authenticated messages

1 Postfix start
1 Postfix stop


****** Detailed ************************************************** **********************************

1 SASL authentication failed --------------------------------------------------------------
1 220.132.164.157 220-132-164-157.hinet-ip.hinet.net

1 Reject relay denied ---------------------------------------------------------------------
1 118.169.195.167 118-169-195-167.dynamic.hinet.net
1 candy59839@yahoo.com.tw

4 Connections lost ------------------------------------------------------------------------
1 After AUTH
1 220-132-164-157.HINET-IP.hinet.net
1 After CONNECT
1 correo.ccs.net.mx
1 After EHLO
1 220-132-164-157.HINET-IP.hinet.net
1 After RCPT
1 118-169-195-167.dynamic.hinet.net

2 Sent via SMTP ---------------------------------------------------------------------------
2 myemailprovider.gr
2 mac
1 root@dragon.mydomain.com

1 Forwarded -------------------------------------------------------------------------------
1 dragon.mydomain.com
1 root

297 Deferrals -------------------------------------------------------------------------------
297 4.4.1: Persistent Transient Failure: Network & Routing Status: No answer from host
162 Delivery temporarily suspended: Connection timed out
162 localhost.localdomain.mydomain.com
162 admispconfig
162 62.49.x.x localhost.localdomain.mydomain.com
135 Connection timed out
113 localhost.localdomain.mydomain.com
113 admispconfig
113 62.49.x.x localhost.localdomain.mydomain.com
22 durak.ru.mydomain.com
22 lebedev
22 62.49.x.x durak.ru.mydomain.com

135 Connection failure (outbound) -----------------------------------------------------------
135 Connection timed out
113 62.49.x.x localhost.localdomain.mydomain.com
22 62.49.x.x durak.ru.mydomain.com

2 TLS connections (server) ----------------------------------------------------------------
2 127.0.0.1 localhost.localdomain
2 Anonymous: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

2 SASL authenticated messages -------------------------------------------------------------
2 Unknown
2 Unknown
2 127.0.0.1 localhost.localdomain


---------------------- Postfix End -------------------------
Reply With Quote
Sponsored Links
  #2  
Old 14th February 2009, 14:07
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
 
Default

First, I'd check if your server is blacklisted: http://mxtoolbox.com/blacklists.aspx
If it is, please check the mynetworks parameter in main.cf. The only network listed should be 127.0.0.0/8. Also check your web applications. Spammers might abuse vulnerable contact forms, guestbooks, etc.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ispconfigsave logs growing indefinitely bolero General 5 8th May 2009 01:18
logwatch not sending any daily logs to root aaa999 Installation/Configuration 3 9th January 2009 20:26
strange message from logwatch qwe010 HOWTO-Related Questions 3 29th February 2008 16:02
Logwatch Installation flyboy320 Installation/Configuration 1 4th December 2007 20:04
Logwatch and it's 7MB emails :-( edge Installation/Configuration 3 6th April 2006 11:30


All times are GMT +2. The time now is 03:55.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.