Server hacked?

Discussion in 'Installation/Configuration' started by dynamind, May 17, 2013.

  1. dynamind

    dynamind Member

    Hello,

    I found some curious logs in the fail2ban protocol:

    2013-05-15 06:29:53,256 fail2ban.actions: WARNING [courierpop3] Ban 202.120.188.118
    2013-05-15 06:29:53,263 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-courierpop3 returned 100
    2013-05-15 06:29:53,263 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
    2013-05-15 06:29:53,270 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports pop3 -j fail2ban-courierpop3
    iptables -F fail2ban-courierpop3
    iptables -X fail2ban-courierpop3 returned 100
    2013-05-15 06:39:53,975 fail2ban.actions: WARNING [courierpop3] Unban 202.120.188.118
    2013-05-15 09:07:32,127 fail2ban.actions: WARNING [courierpop3] Ban 88.190.235.247
    2013-05-15 09:17:32,798 fail2ban.actions: WARNING [courierpop3] Unban 88.190.235.247
    2013-05-15 13:04:08,233 fail2ban.actions: WARNING [pureftpd] Ban 200.72.11.132
    2013-05-15 13:04:08,240 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-pureftpd returned 100
    2013-05-15 13:04:08,240 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
    2013-05-15 13:04:08,250 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ftp -j fail2ban-pureftpd
    iptables -F fail2ban-pureftpd
    iptables -X fail2ban-pureftpd returned 100
    2013-05-15 13:14:08,965 fail2ban.actions: WARNING [pureftpd] Unban 200.72.11.132
    2013-05-15 13:15:31,074 fail2ban.actions: WARNING [pureftpd] Ban 200.72.11.132
    2013-05-15 13:25:31,863 fail2ban.actions: WARNING [pureftpd] Unban 200.72.11.132
    2013-05-15 13:27:09,992 fail2ban.actions: WARNING [pureftpd] Ban 200.72.11.132
    2013-05-15 13:37:10,681 fail2ban.actions: WARNING [pureftpd] Unban 200.72.11.132
    2013-05-15 13:38:50,818 fail2ban.actions: WARNING [pureftpd] Ban 200.72.11.132
    2013-05-15 13:48:51,542 fail2ban.actions: WARNING [pureftpd] Unban 200.72.11.132
    2013-05-16 06:25:09,646 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
    2013-05-16 16:29:48,835 fail2ban.actions: WARNING [pureftpd] Ban 27.153.248.57
    2013-05-16 16:39:49,620 fail2ban.actions: WARNING [pureftpd] Unban 27.153.248.57
    2013-05-17 06:25:47,532 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
    2013-05-17 08:24:00,508 fail2ban.actions: WARNING [courierpop3] Ban 109.224.8.18
    2013-05-17 08:24:00,533 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-courierpop3 returned 100
    2013-05-17 08:24:00,536 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
    2013-05-17 08:24:00,555 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports pop3 -j fail2ban-courierpop3
    iptables -F fail2ban-courierpop3
    iptables -X fail2ban-courierpop3 returned 100
    2013-05-17 08:34:01,221 fail2ban.actions: WARNING [courierpop3] Unban 109.224.8.18


    I don't know WHO is executing

    iptables -F fail2ban-courierpop3
    iptables -X fail2ban-courierpop3 returned 100

    but it's not me. Looks like someone is trying to flush the iptables rules.
    Also I found my Server/IP on some mailserver blacklists but as I don't send spam
    or mailings from this server I can't imagine why I got on a blacklist however.

    Any ideas?

    best regards

    PS: I've upgraded to debian wheezy this weekend using your new howto. Should I stop and remove telnet?
     
    Last edited: May 17, 2013
    dynamind, May 17, 2013
    #1
  2. falko

    falko Super Moderator Howtoforge Staff

    It's fail2ban.

    The blacklists should give you a reason why your server is blacklisted. Sometimes it happens just because you are in the same subnet as another server that is sending spam.
     
    falko, May 18, 2013
    #2

Share This Page