Glaube mein Server wure gehackt!???

Dieses Thema im Forum "Allgemein" wurde erstellt von Sigix, 15. Okt. 2010.

  1. Sigix

    Sigix Member

    Hallo Leute,

    ich weiß nicht ob es nur Log einträge bzw. Angriffsversuche sind oder ob schon wer auf meinem Server wütet!???

    Habe ein paar Log Einträge die mir nicht gefallen!
    Anbei die Log-Einträge:

    fail2ban-Log:

    2010-10-14 19:04:48,493 fail2ban.actions: WARNING [ssh] Ban 61.240.36.1
    2010-10-14 19:14:48,541 fail2ban.actions: WARNING [ssh] Unban 61.240.36.1
    2010-10-14 19:28:59,556 fail2ban.actions: WARNING [ssh] Ban 180.210.26.53
    2010-10-14 19:38:59,572 fail2ban.actions: WARNING [ssh] Unban 180.210.26.53
    2010-10-14 22:23:32,596 fail2ban.actions: WARNING [ssh] Ban 218.93.116.166
    2010-10-14 22:33:32,612 fail2ban.actions: WARNING [ssh] Unban 218.93.116.166
    2010-10-15 00:09:20,791 fail2ban.actions: WARNING [ssh] Ban 190.152.99.19
    2010-10-15 00:19:20,803 fail2ban.actions: WARNING [ssh] Unban 190.152.99.19
    2010-10-15 00:50:08,819 fail2ban.actions: WARNING [ssh] Ban 180.210.26.53
    2010-10-15 01:00:08,831 fail2ban.actions: WARNING [ssh] Unban 180.210.26.53

    Clamav-Log
    Fri Oct 15 00:36:30 2010 -> SelfCheck: Database status OK.
    Fri Oct 15 01:16:37 2010 -> /var/lib/amavis/tmp/amavis-20101015T004858-31641/parts/p005: Suspect.Trojan.Generic.FD-4(ed691cabda1bc5f8447d747558f8b64e:60928) FOUND
    Fri Oct 15 01:36:50 2010 -> SelfCheck: Database status OK.
    Fri Oct 15 02:38:41 2010 -> SelfCheck: Database status OK.
    Fri Oct 15 03:41:21 2010 -> SelfCheck: Database status OK.
    Fri Oct 15 04:44:58 2010 -> SelfCheck: Database status OK.
    Fri Oct 15 05:05:29 2010 -> /var/lib/amavis/tmp/amavis-20101015T044612-04083/parts/p005: Suspect.Trojan.Generic.FD-4(ed691cabda1bc5f8447d747558f8b64e:60928) FOUND
    Fri Oct 15 05:07:29 2010 -> /var/lib/amavis/tmp/amavis-20101015T042049-03506/parts/p005: Suspect.Trojan.Generic.FD-4(ed691cabda1bc5f8447d747558f8b64e:60928) FOUND
    Fri Oct 15 05:52:19 2010 -> SelfCheck: Database modification detected. Forcing reload.
    Fri Oct 15 05:52:20 2010 -> Reading databases from /var/lib/clamav
    Fri Oct 15 05:52:31 2010 -> Database correctly reloaded (843369 signatures)
    Fri Oct 15 06:28:58 2010 -> /var/lib/amavis/tmp/amavis-20101015T051504-04604/parts/p006: Suspect.Trojan.Generic.FD-4(ed691cabda1bc5f8447d747558f8b64e:60928) FOUND
    Fri Oct 15 06:28:58 2010 -> /var/lib/amavis/tmp/amavis-20101015T051504-04604/parts/p005: Suspect.Trojan.Generic.FD-4(ed691cabda1bc5f8447d747558f8b64e:60928) FOUND
    Fri Oct 15 06:54:10 2010 -> SelfCheck: Database status OK.
    Fri Oct 15 07:54:14 2010 -> SelfCheck: Database status OK.
    Fri Oct 15 08:54:34 2010 -> SelfCheck: Database status OK.
    Fri Oct 15 09:54:48 2010 -> SelfCheck: Database status OK.
    Fri Oct 15 10:19:07 2010 -> /var/lib/amavis/tmp/amavis-20101015T101215-28125/parts/p005: Suspect.Trojan.Generic.FD-4(ed691cabda1bc5f8447d747558f8b64e:60928) FOUND

    ISPC Cron.Log
    tail: write error: Broken pipe
    tail: write error: Broken pipe
    tail: write error: Broken pipe

    System-log
    Oct 15 10:15:01 mail1 pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Oct 15 10:15:01 mail1 pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Oct 15 10:19:12 mail1 pure-ftpd: (?@189.44.80.3) [INFO] New connection from 189.44.80.3
    Oct 15 10:19:13 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
    Oct 15 10:19:15 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
    Oct 15 10:19:21 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
    Oct 15 10:19:23 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
    Oct 15 10:19:30 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
    Oct 15 10:19:32 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
    Oct 15 10:19:44 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
    Oct 15 10:19:47 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
    Oct 15 10:20:01 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
    Oct 15 10:20:01 mail1 pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Oct 15 10:20:01 mail1 pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Oct 15 10:20:02 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
    Oct 15 10:20:18 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
    Oct 15 10:20:21 mail1 pure-ftpd: (?@189.44.80.3) [INFO] New connection from 189.44.80.3
    Oct 15 10:20:21 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
    Oct 15 10:20:23 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
    Oct 15 10:20:28 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
    Oct 15 10:20:30 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
    Oct 15 10:20:39 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
    Oct 15 10:20:41 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
    Oct 15 10:20:52 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
    Oct 15 10:20:54 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
    Oct 15 10:21:08 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
    Oct 15 10:21:10 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
    Oct 15 10:21:26 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
    Oct 15 10:21:28 mail1 pure-ftpd: (?@189.44.80.3) [INFO] New connection from 189.44.80.3
    Oct 15 10:21:29 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
    Oct 15 10:21:31 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
    Oct 15 10:21:36 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
    Oct 15 10:21:37 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
    Oct 15 10:21:46 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
    Oct 15 10:21:48 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
    Oct 15 10:21:59 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
    Oct 15 10:22:00 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
    Oct 15 10:22:13 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
    Oct 15 10:22:15 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
    Oct 15 10:22:31 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
    Oct 15 10:22:34 mail1 pure-ftpd: (?@189.44.80.3) [INFO] New connection from 189.44.80.3
    Oct 15 10:22:35 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
    Oct 15 10:22:37 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]

    Mail-Warn-Log
    Oct 15 09:46:20 mail1 postfix/smtpd[27053]: warning: 115.111.47.226: hostname 115.111.47.226.static-delhi.vsnl.net.in verification failed: Name or service not known
    Oct 15 09:46:32 mail1 postfix/smtpd[27053]: warning: 113.167.168.45: address not listed for hostname localhost
    Oct 15 09:47:26 mail1 postfix/smtpd[27053]: warning: 113.167.231.194: address not listed for hostname localhost
    Oct 15 09:50:40 mail1 postfix/smtpd[27259]: warning: 89.122.125.251: hostname adsl89-122-125-251.romtelecom.net verification failed: Name or service not known
    Oct 15 09:58:16 mail1 postfix/smtpd[27259]: warning: 59.180.186.50: hostname triband-del-59.180.186.50.bol.net.in verification failed: Name or service not known
    Oct 15 10:01:10 mail1 postfix/smtpd[27670]: warning: 41.248.245.37: hostname static41-37-244-248-244.adsl41-16.iam.net.ma verification failed: Name or service not known
    Oct 15 10:05:59 mail1 postfix/smtpd[27830]: warning: 60.223.247.120: address not listed for hostname 120.247.223.60.adsl-pool.sx.cn
    Oct 15 10:07:39 mail1 postfix/smtpd[27670]: warning: 95.215.49.13: hostname pool-95-215-49-13.optima-east.net verification failed: Name or service not known
    Oct 15 10:16:15 mail1 postfix/smtpd[28286]: warning: 122.201.22.62: hostname com22-62.mcscom.mn verification failed: Name or service not known
    Oct 15 10:18:57 mail1 postfix/smtpd[28286]: warning: 122.164.32.208: hostname ABTS-TN-dynamic-208.32.164.122.airtelbroadband.in verification failed: Name or service not known
    Oct 15 10:26:48 mail1 postfix/smtpd[28644]: warning: 118.96.66.246: hostname 246.subnet118-96-66.astinet.telkom.net.id verification failed: Name or service not known
    Oct 15 10:26:52 mail1 postfix/smtpd[28286]: warning: 217.12.245.74: hostname host-74.217-12-245.rr.net21.ru verification failed: Name or service not known
    Oct 15 10:27:56 mail1 postfix/smtpd[28286]: warning: 221.135.126.74: hostname 221-135-126-74.sify.net verification failed: Name or service not known
    Oct 15 10:29:40 mail1 postfix/smtpd[28830]: warning: 113.190.218.192: address not listed for hostname localhost
    Oct 15 10:30:38 mail1 postfix/smtpd[28893]: warning: 112.135.104.253: hostname SLT-BB-CUST.slt.lk verification failed: Name or service not known
    Oct 15 10:33:17 mail1 postfix/smtpd[28830]: warning: 210.89.32.145: hostname Static-32-145.pacenet-india.com verification failed: Name or service not known
    Oct 15 10:37:42 mail1 postfix/smtpd[29058]: warning: 93.182.238.152: hostname 152.238.182-93.rev.gaoland.net verification failed: Name or service not known
    Oct 15 10:38:06 mail1 postfix/smtpd[28830]: warning: 113.168.25.78: address not listed for hostname localhost


    Mail queue ist leer


    Kann mir da wer weiterhelfen????
    Der Eintrag was mich unruhig macht ist folgender im System-Log
    "Oct 15 10:19:12 mail1 pure-ftpd: (?@189.44.80.3) [INFO] New connection from 189.44.80.3"

    Ich kenne diese IP nicht!

    Bitte um Hilfe,..danke!
     
  2. Till

    Till Administrator

    Das ist alles ok, Dein Server wurde nicht gehackt oder zumindest deutet aus den Logs nichts darauf hin. das sind die üblichen Versuche von script kiddies und bots. Dafür ist ja eben eine antivirus siftware und fail2ban installiert.

    New connection beutet nur dass jemand sich mit dem server verbunden hat bzw. den port gescannt hat und nicht dass er sich auch einloggen konnte.
     
  3. Sigix

    Sigix Member


    Alles klar danke dafür,.... hab schon das schlimmste befürchtet! ;-)
    Danke für deine Hilfe ;-)
     

Diese Seite empfehlen