My web server got hacked today, i know because my datacenter contacted me today telling me that there is a bruit force attack originating from my server to another server on a different network, so what is happening is that my server got hacked, then the hacker is using the server she hacked to hack other servers by sending FTP requests.
So, how come i got hacked when i am so obsessed with security, well, in reality, this is just an intermediate machine that i used to run a certain script that would move my mail server, and i did not (and did not see the need) to secure it.
What i usually do to secure my server is simply install fail2ban, in this case i did not out of lazyness but here is how i got hacked and how fail2ban would have protected me.
Before i show you the log files, this whole problem would not happen if i had a strong password combined with fail2ban
In the complaining partie’s log files
Tue Jul 24 22:28:27 2012: user: hauvouuc service: ftp target: yyy.yyy.yyy.yyy source: xxx.xxx.xxx.xxx
Tue Jul 24 22:28:27 2012: user: pkmcndgq service: ftp target: yyy.yyy.yyy.yyy source: xxx.xxx.xxx.xxx
Tue Jul 24 22:28:27 2012: user: malumdvc1 service: ftp target: yyy.yyy.yyy.yyy source: xxx.xxx.xxx.xxx
In my log files (auth.log):
Many lines like the following right below each other
Jul 24 18:03:08 run sshd[14229]: pam_unix(sshd:auth): check pass; user unknown Jul 24 18:03:08 run sshd[14229]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=9.12-14-84.ripe.coltfrance.com Jul 24 18:03:10 run sshd[14229]: Failed password for invalid user ts3 from 84.14.12.9 port 41014 ssh2 Jul 24 18:03:11 run sshd[14231]: Invalid user ts3 from 84.14.12.9
Anod some lines like this
Jul 25 15:30:46 run sshd[10728]: pam_unix(sshd:auth): check pass; user unknown Jul 25 15:30:46 run sshd[10728]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.119.29.135 Jul 25 15:30:48 run sshd[10728]: Failed password for invalid user public from 217.119.29.135 port 34292 ssh2 Jul 25 15:30:48 run sshd[10730]: Address 217.119.29.135 maps to gamma2-7.cust.smartspb.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Jul 25 15:30:48 run sshd[10730]: Invalid user public from 217.119.29.135
Thousands of lines like this one
Jul 24 14:12:38 run sshd[2025]: error: connect_to 213.186.33.207 port 80: failed. Jul 24 14:12:39 run sshd[2025]: error: connect_to 192.168.10.24 port 2110: failed. Jul 24 14:12:39 run sshd[2025]: error: connect_to 195.130.65.50 port 80: failed. OR Jul 24 06:41:19 run sshd[9824]: error: connect_to 213.186.33.207 port 80: failed. Jul 24 06:41:19 run sshd[13434]: Failed password for invalid user test from 202.28.123.191 port 37830 ssh2 Jul 24 06:41:20 run sshd[9824]: error: connect_to 213.186.33.207 port 80: failed.
And more like this
Jul 24 08:19:18 run sshd[20882]: pam_unix(sshd:auth): check pass; user unknown Jul 24 08:19:18 run sshd[20882]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=puck748.server4you.de Jul 24 08:19:21 run sshd[20882]: Failed password for invalid user kk from 85.25.235.73 port 49213 ssh2 Jul 24 08:19:21 run sshd[20884]: Invalid user css from 85.25.235.73