#1  
Old 17th May 2013, 15:23
dynamind dynamind is offline
Member
 
Join Date: Mar 2011
Location: Mödling bei Wien
Posts: 62
Thanks: 21
Thanked 9 Times in 6 Posts
Send a message via Skype™ to dynamind
Default Server hacked?

Hello,

I found some curious logs in the fail2ban protocol:

2013-05-15 06:29:53,256 fail2ban.actions: WARNING [courierpop3] Ban 202.120.188.118
2013-05-15 06:29:53,263 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-courierpop3 returned 100
2013-05-15 06:29:53,263 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
2013-05-15 06:29:53,270 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports pop3 -j fail2ban-courierpop3
iptables -F fail2ban-courierpop3
iptables -X fail2ban-courierpop3 returned 100
2013-05-15 06:39:53,975 fail2ban.actions: WARNING [courierpop3] Unban 202.120.188.118
2013-05-15 09:07:32,127 fail2ban.actions: WARNING [courierpop3] Ban 88.190.235.247
2013-05-15 09:17:32,798 fail2ban.actions: WARNING [courierpop3] Unban 88.190.235.247
2013-05-15 13:04:08,233 fail2ban.actions: WARNING [pureftpd] Ban 200.72.11.132
2013-05-15 13:04:08,240 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-pureftpd returned 100
2013-05-15 13:04:08,240 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
2013-05-15 13:04:08,250 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ftp -j fail2ban-pureftpd
iptables -F fail2ban-pureftpd
iptables -X fail2ban-pureftpd returned 100
2013-05-15 13:14:08,965 fail2ban.actions: WARNING [pureftpd] Unban 200.72.11.132
2013-05-15 13:15:31,074 fail2ban.actions: WARNING [pureftpd] Ban 200.72.11.132
2013-05-15 13:25:31,863 fail2ban.actions: WARNING [pureftpd] Unban 200.72.11.132
2013-05-15 13:27:09,992 fail2ban.actions: WARNING [pureftpd] Ban 200.72.11.132
2013-05-15 13:37:10,681 fail2ban.actions: WARNING [pureftpd] Unban 200.72.11.132
2013-05-15 13:38:50,818 fail2ban.actions: WARNING [pureftpd] Ban 200.72.11.132
2013-05-15 13:48:51,542 fail2ban.actions: WARNING [pureftpd] Unban 200.72.11.132
2013-05-16 06:25:09,646 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
2013-05-16 16:29:48,835 fail2ban.actions: WARNING [pureftpd] Ban 27.153.248.57
2013-05-16 16:39:49,620 fail2ban.actions: WARNING [pureftpd] Unban 27.153.248.57
2013-05-17 06:25:47,532 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
2013-05-17 08:24:00,508 fail2ban.actions: WARNING [courierpop3] Ban 109.224.8.18
2013-05-17 08:24:00,533 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-courierpop3 returned 100
2013-05-17 08:24:00,536 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
2013-05-17 08:24:00,555 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports pop3 -j fail2ban-courierpop3
iptables -F fail2ban-courierpop3
iptables -X fail2ban-courierpop3 returned 100
2013-05-17 08:34:01,221 fail2ban.actions: WARNING [courierpop3] Unban 109.224.8.18


I don't know WHO is executing

iptables -F fail2ban-courierpop3
iptables -X fail2ban-courierpop3 returned 100

but it's not me. Looks like someone is trying to flush the iptables rules.
Also I found my Server/IP on some mailserver blacklists but as I don't send spam
or mailings from this server I can't imagine why I got on a blacklist however.

Any ideas?

best regards

PS: I've upgraded to debian wheezy this weekend using your new howto. Should I stop and remove telnet?

Last edited by dynamind; 17th May 2013 at 15:40.
Reply With Quote
Sponsored Links
  #2  
Old 18th May 2013, 08:31
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
 
Default

Quote:
Originally Posted by dynamind View Post
I don't know WHO is executing

iptables -F fail2ban-courierpop3
iptables -X fail2ban-courierpop3 returned 100

but it's not me.
It's fail2ban.

Quote:
Originally Posted by dynamind View Post
Also I found my Server/IP on some mailserver blacklists but as I don't send spam
or mailings from this server I can't imagine why I got on a blacklist however.

Any ideas?
The blacklists should give you a reason why your server is blacklisted. Sometimes it happens just because you are in the same subnet as another server that is sending spam.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
dynamind (18th May 2013)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
User unknown in relay recipient table Taxick Installation/Configuration 12 9th April 2013 13:31
Virtual Users And Domains With Postfix, Courier, MySQL And SquirrelMail -Ubuntu 8.04 c4rdinal HOWTO-Related Questions 112 23rd August 2011 11:49
Sending email issue lezelf Installation/Configuration 15 9th August 2011 12:20
Not working emails (DNS and postfix problem?) shekiman Installation/Configuration 9 1st March 2011 17:25
Problem with keeping Apache alive bobeq Server Operation 3 29th November 2007 17:11


All times are GMT +2. The time now is 10:06.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.