Hi we received a mail regarding attempt to hacking from our server. We do not provide SSH or telnet on our server. but it is seems to be someone able to hack our servers and attampt to hack other computers on the net.

Can any one tell me anything I can do to stop this? I checked all "places" in the server but found nothing. Since I am not a security expert, I need some assistance, Anyone have any suggestion?

here is the mail I received from a person.
----------------------
As indicated below, a seemingly invalid access attempt to my computer
(xxx.xxx.xxx.xxx) was initiated from an IP address (xxx.xxx.xxx.xxx) on your network recently (or at least from the network on which you are identified as the network administrator).

The attempt was detected by the personal firewall running on my machine,
and I am quite concerned about it.

If you are in fact responsible for this network, please do the following:

1) Research the access attempt(s),
2) Inform the responsible parties to discontinue access attempts,
3) Reply to me with your findings.

If you are not responsible for this network, please forward this message
to the person who is, or, if you do not know who this person is, please
get back to me with that information as well. Thank you.

The access attempt(s) are shown below, including the date and time, port
number, TCP or UDP indicator, and, if known, a service name associated
with the port.

Sam, 20 avr 2002 20:07:18, Port 22, TCP, Secure Shell/pcAnywhere

The times shown above are expressed in my local time zone, which is
Greenwich Mean Time +2 hours.

Um... well you don't need telnet/shell to hack remotly, a php/perl script can do that from a web interface. Secondly the guy tried to connect to port 22.... it could be something as simple as he mis-typed the IP trying to connect to.. so I wouldn't over re-act but I would keep an eye out for other complaints and do a quick sweep of your system for any odd background running process's.

I would also see if this "attack" just happened once, or if it is still happening.. if there are not numerous attempts, I would have to also agree it could have been a mistake.. Better to be safe than sorry though ;)

Laterz,
palmtree

There are many scenarios to this situation that could be playing out right under your nose.

For instance, you could be cracked (hacked ?) and someone has backdoored (trojaned ?) your server in such a way, as to hide there presence (typicly via replacment of system binaries with modified ones).

Or from another perspective its very possible that someone could craft a PHP or Perl script to launch attacks on remote hosts (you do have php safemode enabled right ?).

Whatever the case may be , you have to take an objective look at every aspect of your server and verify the integrity of all data on the server (all users as well ?). If youd like , your welcome to contact me and i can help you track down the source of this issue - or visit my site http://www.r-fx.net (excuse the lack of news updates :).

It's odd that this anonymous person is concerned about someone attempting to ssh to his machine from your network.

If he sends a notice every time someone attempts to access a service on his machine, he must be pretty busy.

Anyway, there are "worms" that spread themselves through various root exploits. Your infected machine could be scanning other networks, looking to spread. Or some individual could have rooted you and be scanning for vulnerabilities.

Or one of your trusted users could have accidentally typed in the wrong IP address when sshing out, as others have said.

You haven't even said what OS you're running. Windows? UNIX?

No it's seems to be someone in our server, we already got 3 complients from diffrent ppl. I am not an experts in Linux security things, anyone can give a step by step help? please...

I am using redhat 7.0 with plesk 1.3.1 was about to upgrade, but this happend before...

if your not an expert in security then you need to hire an admin that is. You cant rely on a 'step-by-step' guide when it comes to security issues.

Yes, I got someone else to look in to that.
thanks.
but still want to know which files I have to look in to..

If you are absolutely sure your server has been cracked, then I think you should reinstall the server from scratch. The bad guy could have the opportunity to insert backdoor on some system files. It is rather hard to determine which files has been altered if you don't use something like tripwire.

On the other hand, RPM has a database of MD5 of every files it installed. You should do some verification to get a list of altered files. But then again, if the attacker had the ability to alter system files, then he also had the ability to update your RPM database.