Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 3rd August 2011, 11:40
SwOsHiE SwOsHiE is offline
HowtoForge Supporter
 
Join Date: Jun 2011
Location: Stockholm, Sweden
Posts: 82
Thanks: 8
Thanked 8 Times in 7 Posts
Send a message via Skype™ to SwOsHiE
Exclamation Someone trying to hack my servers?

Hello,

I'm getting alot of info from logwatch that different services like mail, dns, apache and others is answering wrong password or access denied for different IP adresses all over the world, is someone trying to hack my servers?

Is there a way to autoblock these IP adresses if they try to access something more than 20 times or something like that?

A copy/paste of some information from logwatch:

Dovecot:
dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<web10p4>, method=PLAIN, rip=94.76.204.66, lip=192.168.10.10: 3 Time(s)
(repeats about MENY times in the mail)

Apache:
Requests with error response codes
404 Not Found
//./scripts/setup.php: 1 Time(s)
//Myphp/scripts/setup.php: 1 Time(s)
//_db/scripts/setup.php: 1 Time(s)
//_dbadmin/scripts/setup.php: 1 Time(s)
//_myadmin/scripts/setup.php: 1 Time(s)
//_myphp/scripts/setup.php: 1 Time(s)
//_php/scripts/setup.php: 1 Time(s)
//_phpadmin/scripts/setup.php: 1 Time(s)
//_phpmyadmin/scripts/setup.php: 1 Time(s)
//_sql/scripts/setup.php: 1 Time(s)
//admin/my/scripts/setup.php: 1 Time(s)
//admm/scripts/setup.php: 1 Time(s)
//admn/scripts/setup.php: 1 Time(s)
//databaseadmin/scripts/setup.php: 1 Time(s)
//db/scripts/setup.php: 1 Time(s)
//dbadmin/scripts/setup.php: 1 Time(s)
//my-php/scripts/setup.php: 1 Time(s)
and so on..

Pam_unix begin:
dovecot:
Authentication Failures:
test rhost=78.186.248.28 : 16 Time(s)
web10p1 rhost=94.76.204.66 : 16 Time(s)
web10p10 rhost=94.76.204.66 : 16 Time(s)
web10p2 rhost=94.76.204.66 : 16 Time(s)
web10p3 rhost=94.76.204.66 : 16 Time(s)
web10p4 rhost=94.76.204.66 : 16 Time(s)
web10p5 rhost=94.76.204.66 : 16 Time(s)
web10p7 rhost=94.76.204.66 : 16 Time(s)
web10p8 rhost=94.76.204.66 : 16 Time(s)
web10p9 rhost=94.76.204.66 : 16 Time(s)
web10p6 rhost=94.76.204.66 : 8 Time(s)
web11p1 rhost=94.76.204.66 : 8 Time(s)
web11p10 rhost=94.76.204.66 : 8 Time(s)
web11p2 rhost=94.76.204.66 : 8 Time(s)
web11p3 rhost=94.76.204.66 : 8 Time(s)
web11p4 rhost=94.76.204.66 : 8 Time(s)
web11p5 rhost=94.76.204.66 : 8 Time(s)
and so on..

Postfix:
SASL Authenticated messages from: 1 Host(s), 5 Time(s)

Relaying denied: 2 Time(s)

Connections lost:
Connection lost while CONNECT : 289 Time(s)
Connection lost while RCPT : 1 Time(s)


Unrecognized warning:
non-SMTP command from unknown[173.226.228.88]: GET / HTTP/1.1 : 1 Time(s)


Connections (secure-log) Begin:


**Unmatched Entries**
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
Rootkit Hunter: Rootkit hunter check started (version 1.3.8)
Rootkit Hunter: Scanning took 1 minute and 7 seconds
Rootkit Hunter: Please inspect this machine, because it may be infected.

(How do you look for infected files in rootkit?)

Sendmail begin:

**Unmatched Entries**
STARTTLS=client, relay=[127.0.0.1], field=cn_issuer, status=failed to extract CN: 5 Time(s)
STARTTLS=client, relay=[127.0.0.1], field=cn_subject, status=failed to extract CN: 5 Time(s)


Is this a common thing for webhosting server? Is it unsafe to NOT do anything?

Best regards,
Mattias
Reply With Quote
Sponsored Links
 

Bookmarks

Tags
dovecot, error, hacking, postfix, server

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help:two isp3 servers primary and secondary dns u4david Installation/Configuration 6 17th June 2010 20:53
DNS data from Standalone servers to Primary DNS server SamTzu Tips/Tricks/Mods 7 15th November 2009 13:38
merge 2 ispconfig servers in 1 dimitar Installation/Configuration 1 22nd January 2008 08:27
Unable send receive emails vassilis3 Installation/Configuration 15 19th May 2007 14:34
No SPF record. beryl Installation/Configuration 6 17th May 2007 19:52


All times are GMT +2. The time now is 16:40.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.