I noticed before I got this server at ServerHost, I had loads of these emails, then the server went ape and I got a totally new one..

Looking at this log I just got, it looks like someone is hammering the server - anything I can do to stop it?



Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Oct 11 04:55:19 insomnia portsentry[1304]: attackalert: Connect from host: s105-102.pixelweb.net/209.5.105.102 to TCP port: 111
... <loads more of these>


Security Violations
=-=-=-=-=-=-=-=-=-=
Oct 11 04:25:08 insomnia named: named shutdown failed
Oct 11 04:25:08 insomnia named: named shutdown failed
Oct 11 04:55:19 insomnia portsentry[1304]: attackalert: Connect from host: s105-102.pixelweb.net/209.5.105.102 to TCP port: 111
.... <loads more of these>

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Oct 11 04:08:04 insomnia proftpd[11113]: insomnia.pcnoc.net (insomnia.pcnoc.net[127.0.0.1]) - FTP session opened.
Oct 11 04:16:36 insomnia proftpd[11197]: insomnia.pcnoc.net (insomnia.pcnoc.net[127.0.0.1]) - FTP session opened.
Oct 11 04:22:51 insomnia kernel: Out of Memory: Killed process 10337 (httpd).
Oct 11 04:22:55 insomnia kernel: Out of Memory: Killed process 10338 (httpd).
Oct 11 04:22:58 insomnia kernel: Out of Memory: Killed process 10339 (httpd).
Oct 11 04:23:10 insomnia kernel: Out of Memory: Killed process 10341 (httpd).
Oct 11 04:23:15 insomnia kernel: Out of Memory: Killed process 10390 (httpd).
Oct 11 04:23:21 insomnia kernel: Out of Memory: Killed process 10340 (httpd).
Oct 11 04:23:28 insomnia kernel: Out of Memory: Killed process 996 (mysqld).
Oct 11 04:23:35 insomnia kernel: Out of Memory: Killed process 1310 (mysqld).
Oct 11 04:23:37 insomnia kernel: Out of Memory: Killed process 1312 (mysqld).
Oct 11 04:23:38 insomnia kernel: Out of Memory: Killed process 1592 (named).
Oct 11 04:23:38 insomnia kernel: Out of Memory: Killed process 1595 (named).
Oct 11 04:23:38 insomnia kernel: Out of Memory: Killed process 1596 (named).
Oct 11 04:23:38 insomnia kernel: Out of Memory: Killed process 1597 (named).
Oct 11 04:23:38 insomnia kernel: Out of Memory: Killed process 1598 (named).
Oct 11 04:23:51 insomnia kernel: Out of Memory: Killed process 10243 (perl).
Oct 11 04:25:08 insomnia named[11714]: using 1 CPU
Oct 11 04:25:08 insomnia named[11718]: loading configuration from '/etc/named.conf'
Oct 11 04:25:08 insomnia named[11718]: the default for the 'auth-nxdomain' option is now 'no'
Oct 11 04:25:08 insomnia named[11718]: no IPv6 interfaces found
Oct 11 04:25:08 insomnia named[11718]: listening on IPv4 interface lo, 127.0.0.1#53
Oct 11 04:25:08 insomnia named[11718]: listening on IPv4 interface eth0, 209.51.136.157#53
Oct 11 04:25:08 insomnia named[11718]: listening on IPv4 interface eth0:1, 209.51.136.170#53
Oct 11 04:25:08 insomnia named[11718]: listening on IPv4 interface eth0:2, 209.51.136.171#53
Oct 11 04:25:08 insomnia named[11718]: listening on IPv4 interface eth0:3, 209.51.136.172#53
Oct 11 04:25:08 insomnia named[11718]: listening on IPv4 interface eth0:4, 209.51.136.173#53
Oct 11 04:25:08 insomnia named[11718]: listening on IPv4 interface eth0:5, 209.51.136.174#53
Oct 11 04:25:08 insomnia named[11718]: listening on IPv4 interface eth0:6, 209.51.136.175#53
Oct 11 04:25:08 insomnia named[11718]: listening on IPv4 interface eth0:7, 209.51.136.176#53
Oct 11 04:25:08 insomnia named[11718]: command channel listening on 127.0.0.1#953
Oct 11 04:25:08 insomnia named[11718]: running
Oct 11 04:25:18 insomnia proftpd[11899]: insomnia.pcnoc.net (insomnia.pcnoc.net[127.0.0.1]) - FTP session opened.
Oct 11 04:55:19 insomnia portsentry[1304]: attackalert: Connect from host: s105-102.pixelweb.net/209.5.105.102 to TCP port: 111
Oct 11 04:55:24 insomnia portsentry[1304]: attackalert: Connect from host: s105-102.pixelweb.net/209.5.105.102 to TCP port: 111
Oct 11 04:55:24 insomnia portsentry[1304]: attackalert: Host:
Oct 11 04:55:54 insomnia portsentry[1304]: attackalert: Host: 209.5.105.102 is already blocked. Ignoring
Oct 11 12:44:22 insomnia proftpd[17873]: 209.51.136.171 (host213-1-132-12.btinternet.com[213.1.132.12]) - FTP session opened.
Oct 11 12:44:23 insomnia proftpd[17873]: PAM-listfile: Couldn't open /etc/ftpusers
Oct 11 12:45:33 insomnia proftpd[17878]: 209.51.136.171 (host213-1-132-12.btinternet.com[213.1.132.12]) - FTP session opened.
Oct 11 12:45:34 insomnia proftpd[17878]: PAM-listfile: Couldn't open /etc/ftpusers
Oct 11 16:23:34 insomnia proftpd[20437]: insomnia.pcnoc.net (host213-1-178-169.btinternet.com[213.1.178.169]) - FTP session opened.
Oct 11 16:23:34 insomnia proftpd[20437]: PAM-listfile: Couldn't open /etc/ftpusers
Oct 11 20:53:02 insomnia proftpd[23685]: insomnia.pcnoc.net (host213-1-167-119.btinternet.com[213.1.167.119]) - FTP session opened.
Oct 11 20:53:03 insomnia proftpd[23685]: PAM-listfile: Couldn't open /etc/ftpusers
Oct 11 21:10:47 insomnia sshd[23812]: Accepted password for admin from 212.126.138.32 port 4472
Oct 11 21:10:47 insomnia sshd[23812]: packet_set_maxsize: setting to 4096
Oct 11 21:10:51 insomnia su(pam_unix)[23841]: session opened for user root by admin(uid=500)
Oct 11 21:50:50 insomnia su(pam_unix)[23841]: session closed for user root
Oct 11 23:47:55 insomnia sshd[25427]: Accepted password for admin from 212.126.138.32 port 1057
Oct 11 23:47:55 insomnia sshd[25427]: packet_set_maxsize: setting to 4096
Oct 12 01:27:15 insomnia portsentry[1304]: attackalert: Connect from host: mail2.compassnet.com/198.66.160.7 to TCP port: 111
Oct 12 01:27:15 insomnia portsentry[1304]: attackalert: Host: 198.66.160.7 is already blocked. Ignoring
Oct 12 01:27:20 insomnia portsentry[1304]: attackalert: Connect from host: mail2.compassnet.com/198.66.160.7 to TCP port: 111
Oct 12 01:27:20 insomnia portsentry[1304]: attackalert: Host: 198.66.160.7 is already blocked. Ignoring
Oct 12 01:27:25 insomnia portsentry[1304]: attackalert: Connect from host: mail2.compassnet.com/198.66.160.7 to TCP port: 111
Oct 12 01:27:25 insomnia portsentry[1304]: attackalert: Host: 198.66.160.7 is already blocked. Ignoring

There is _alot_ of these entries
insomnia portsentry[1304]: attackalert: Connect from host: s105-102.pixelweb.net/209.5.105.102 to TCP port: 111

Oct 12 01:27:00 insomnia portsentry[1304]: attackalert: Connect from host: mail2.compassnet.com/198.66.160.7 to TCP port: 111
Oct 12 01:27:00 insomnia portsentry[1304]: attackalert: Host: 198.66.160.7 is already blocked. Ignoring


Should I be worried?

--James

I would suggest that you put a firewall in front of your web server, and only limit the allowed incoming ports that you need.
For example, I doubt you need MySQL to be accessed from the Internet, but more so from localhost (your web server) - so this should be blocked off.

You should look into bandwidth throttling.
Perhaps set PortSentry to a higher level of sensitivity?

Also make sure that all your software is running the latest security patches - it appears that the crackers are going for buffer overflows.

Loryan

Someone was trying to run an RPC exploit on you. Firewall off port 111 -- for that matter, block all ports except 20-23,25,80,110 -- and laugh.

forgive my ignorance, but how do I block them?
(This is a Cpanel server)

James

To be honest, I have no clue. Ideally a 'preconfigured' system like that should come with a good firewall in place.

it has Port Sentry which apparently puts those hackers on ignore.

--James

Damn, forgot what I was going to post. I think it had to do with the ports.

Umm... edit /etc/services, or was it /etc/inetd.conf, nay, it's /etc/inetd.conf, also stop all the chkconfig services.

Don't forget to kill.

Wildwayz,

you logs looks like the same as mine :bawling:

It might be advisable to read up on ipchains/iptables firewalling... you could then lock down those ports.

Thanks all

Will look into it more :D

--James

Atleast you have your serverhost server up :(