Disk space

[incka]

Here is the first half of the report they sent me:






The remote system 98.67-19-162.reverse.theplanet.com was found to have exceeded acceptable login failures on host178.holyou.net. As such the attacking host has been banned from further accessing this system; for the integrity of your host you should investigate this event as soon as possible.



The following are event logs for exceeded login failures from 98.67-19-162.reverse.theplanet.com on service sshd (all time stamps are GMT +0800):

----

- Executed actions:

/etc/apf/apf -d 98.67-19-162.reverse.theplanet.com



- Log events from /var/log/messages:

Dec 22 20:53:59 host178 sshd(pam_unix)[11006]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:53:59 host178 sshd(pam_unix)[11008]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:00 host178 sshd(pam_unix)[11010]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:01 host178 sshd(pam_unix)[11012]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:01 host178 sshd(pam_unix)[11014]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:02 host178 sshd(pam_unix)[11016]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:02 host178 sshd(pam_unix)[11018]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:03 host178 sshd(pam_unix)[11020]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:04 host178 sshd(pam_unix)[11022]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:04 host178 sshd(pam_unix)[11024]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:04 host178 sshd(pam_unix)[11026]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:04 host178 sshd(pam_unix)[11028]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:05 host178 sshd(pam_unix)[11030]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:06 host178 sshd(pam_unix)[11032]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:06 host178 sshd(pam_unix)[11034]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:07 host178 sshd(pam_unix)[11036]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:07 host178 sshd(pam_unix)[11038]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:08 host178 sshd(pam_unix)[11040]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:08 host178 sshd(pam_unix)[11042]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:09 host178 sshd(pam_unix)[11044]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:09 host178 sshd(pam_unix)[11046]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:09 host178 sshd(pam_unix)[11048]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:10 host178 sshd(pam_unix)[11051]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:11 host178 sshd(pam_unix)[11054]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:11 host178 sshd(pam_unix)[11056]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:12 host178 sshd(pam_unix)[11059]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:12 host178 sshd(pam_unix)[11061]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:12 host178 sshd(pam_unix)[11067]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:13 host178 sshd(pam_unix)[11070]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:13 host178 sshd(pam_unix)[11076]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:14 host178 sshd(pam_unix)[11078]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:14 host178 sshd(pam_unix)[11080]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:15 host178 sshd(pam_unix)[11090]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:16 host178 sshd(pam_unix)[11092]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:16 host178 sshd(pam_unix)[11094]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:17 host178 sshd(pam_unix)[11096]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:17 host178 sshd(pam_unix)[11098]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:17 host178 sshd(pam_unix)[11103]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:18 host178 sshd(pam_unix)[11105]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:18 host178 sshd(pam_unix)[11107]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:19 host178 sshd(pam_unix)[11109]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:19 host178 sshd(pam_unix)[11111]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:20 host178 sshd(pam_unix)[11114]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:21 host178 sshd(pam_unix)[11116]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:21 host178 sshd(pam_unix)[11118]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:21 host178 sshd(pam_unix)[11120]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:22 host178 sshd(pam_unix)[11122]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:22 host178 sshd(pam_unix)[11125]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:23 host178 sshd(pam_unix)[11128]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:23 host178 sshd(pam_unix)[11130]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:24 host178 sshd(pam_unix)[11132]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:24 host178 sshd(pam_unix)[11134]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:25 host178 sshd(pam_unix)[11136]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:26 host178 sshd(pam_unix)[11138]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:26 host178 sshd(pam_unix)[11140]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:26 host178 sshd(pam_unix)[11143]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

[MarkB]

What did report.txt say?

[incka]

thats what i posted above.

[incka]

That's a hacker script trying to guess the password isn't it...

[r2d2]

With several attempts per second, that would seem to be a likely candidate...

[MarkB]

Sorry, didn't see the thread had gone to another page.

Definitely summat fishy there. My guess is someone's using another server to try and use brutal force methods to get into other servers. (I get at least 1 brutal force attack on my server a day; my firewall just boots the connection and blocks the IP)

[incka]

Stupid hackers, why can't they learn to make websites for profit instead of ruining them for fun, or if they hack websites, make hacking gangs that only hack other hacking gangs websites..

[MarkB]

Put some security systems in place on your server and you needn't worry (as much).

[moonshield]

thats unfortunate, same with your htmlforums.

[moonshield]

my ssh boots people off after 2 missed passwords... Interesting that your didnt

[incka]

'_Seri4l_Kill3r_ ownz ur server, aedin um abraco' is what it says.

[moonshield]

typical hacker, more properly cracker name. I really do hate crackers.

[Blue Cat Buxton]

Was this the phpbb vunerability?

[moonshield]

it was the vunerability within PHP itself, something to do with the Searlize() function... Upgrading to PHP 4.3.10+ should do the trick, or at least I hope!

[incka]

My php is version 5.0.3 I think.