watchlog report concerned me

stimpack · Feb 18, 2014

HI Folks, watchlog send me this report and its concerned me a lot how to secure more my centos 6.5 and how to decrease these attacks any help is appreciated

Code:

################### Logwatch 7.3.6 (05/19/07) ####################
        Processing Initiated: Tue Feb 18 03:26:03 2014
        Date Range Processed: yesterday
                              ( 2014-Feb-17 )
                              Period is day.
      Detail Level of Output: 0
              Type of Output: unformatted
           Logfiles for Host: mail.domain.com
  ##################################################################

 --------------------- Dovecot Begin ------------------------

 Dovecot disconnects:
    Logged out: 510 Time(s)
    no auth attempts: 17 Time(s)
    no reason: 8 Time(s)
 ---------------------- Dovecot End -------------------------


 --------------------- httpd Begin ------------------------


 A total of 4 sites probed the server
    112.209.216.194
    213.100.98.237
    24.207.137.245
    24.4.12.213

 A total of 1 possible successful probes were detected (the following URLs
 contain strings that match one or more of a listing of strings that
 indicate a possible exploit):

    null HTTP Response 200

 Requests with error response codes
    403 Forbidden
       /a2/: 1 Time(s)
    404 Not Found
       /HNAP1/: 5 Time(s)
       /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F ... 76%3D%30+%2D%6E: 1 Time(s)
       /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F ... 76%3D%30+%2D%6E: 1 Time(s)
       /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75 ... 76%3D%30+%2D%6E: 1 Time(s)
       /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75 ... 76%3D%30+%2D%6E: 1 Time(s)
       /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75% ... 76%3D%30+%2D%6E: 1 Time(s)
       /cgi-bin/rtpd.cgi?/bin/busybox: 1 Time(s)
       /images/gallery/6.jpg: 1 Time(s)
       /images/slide4.jpg: 1 Time(s)
       /login.php: 2 Time(s)
       /myadmin/scripts/setup.php: 6 Time(s)
       /phpMyAdmin/scripts/setup.php: 6 Time(s)
       /phpTest/zologize/axa.php: 6 Time(s)
       /pma/scripts/setup.php: 6 Time(s)

 ---------------------- httpd End -------------------------


 --------------------- pam_unix Begin ------------------------

 remote:
    Authentication Failures:
       unknown (190.147.33.102): 27 Time(s)
       unknown (catv-176-63-171-125.catv.broadband.hu): 27 Time(s)
       root (190.147.33.102): 24 Time(s)
       root (catv-176-63-171-125.catv.broadband.hu): 24 Time(s)
    Invalid Users:
       Unknown Account: 54 Time(s)

 sshd:
    Authentication Failures:
       unknown (212.118.226.133): 3195 Time(s)
       root (212.118.226.133): 503 Time(s)
       root (119.10.116.156): 27 Time(s)
       unknown (119.10.116.156): 27 Time(s)
       root (193.219.98.9): 18 Time(s)
       unknown (58.221.114.3): 14 Time(s)
       apache (212.118.226.133): 3 Time(s)
       bin (119.10.116.156): 3 Time(s)
       ftp (212.118.226.133): 3 Time(s)
       games (212.118.226.133): 3 Time(s)
       mail (212.118.226.133): 3 Time(s)
       mysql (212.118.226.133): 3 Time(s)
       operator (212.118.226.133): 3 Time(s)
       postmaster (212.118.226.133): 3 Time(s)
       sarah (212.118.226.133): 3 Time(s)
       service (212.118.226.133): 3 Time(s)
       squid (212.118.226.133): 3 Time(s)
       sshd (119.10.116.156): 3 Time(s)
       unknown (103.5.126.201): 3 Time(s)
       john (212.118.226.133): 2 Time(s)
       sync (212.118.226.133): 2 Time(s)
       unknown (193.219.98.9): 2 Time(s)
       sshd (212.118.226.133): 1 Time(s)
    Invalid Users:
       Unknown Account: 3276 Time(s)


 ---------------------- pam_unix End -------------------------


 --------------------- Postfix Begin ------------------------

        4   *Warning: Pre-queue content-filter connection overload
       14   Miscellaneous warnings

   16.195K  Bytes accepted                            16,584
   16.195K  Bytes delivered                           16,584
 ========   ================================================

        3   Accepted                                  30.00%
        7   Rejected                                  70.00%
 --------   ------------------------------------------------
       10   Total                                    100.00%
 ========   ================================================

        7   Reject relay denied                      100.00%
 --------   ------------------------------------------------
        7   Total Rejects                            100.00%
 ========   ================================================

       13   Connections made
       13   Disconnections
        3   Removed from queue
        2   Delivered
        1   Sent via SMTP
        1   Deferred
        6   Deferrals

        1   Connection failure (outbound)



 ---------------------- Postfix End -------------------------


 --------------------- Connections (secure-log) Begin ------------------------

 New Users:
    ericwebster (516)

 New Groups:
    ericwebster (516)


 Failed logins:
    User admin:
       190.147.33.102: 21 Time(s)
       catv-176-63-171-125.catv.broadband.hu: 21 Time(s)
    User cusadmin:
       190.147.33.102: 6 Time(s)
       catv-176-63-171-125.catv.broadband.hu: 6 Time(s)
    User root:
       190.147.33.102: 24 Time(s)
       catv-176-63-171-125.catv.broadband.hu: 24 Time(s)

 **Unmatched Entries**
    login: FAILED LOGIN SESSION FROM 190.147.33.102 FOR (null), Error in service module: 1 Time(s)
    login: pam_securetty(remote:auth): access denied: tty 'pts/0' is not secure !: 34 Time(s)
    login: pam_securetty(remote:auth): access denied: tty 'pts/1' is not secure !: 34 Time(s)
    login: pam_securetty(remote:auth): access denied: tty 'pts/2' is not secure !: 34 Time(s)
    login: pam_securetty(remote:auth): cannot determine username: 3 Time(s)
    login: pam_succeed_if(remote:auth): error retrieving user name: Conversation error: 3 Time(s)

 ---------------------- Connections (secure-log) End -------------------------


 --------------------- SSHD Begin ------------------------


 Disconnecting after too many authentication failures for user:
    admin : 7 Time(s)

 Failed logins from:
    119.10.116.156: 33 times
    193.219.98.9: 18 times
    212.118.226.133: 538 times

 Illegal users from:
    58.221.114.3: 56 times
    103.5.126.201: 3 times
    119.10.116.156: 27 times
    193.219.98.9: 2 times
    212.118.226.133: 3195 times

 Users logging in through sshd:
    x:
       41.137.74.142: 3 times
       41.137.68.200: 2 times
       41.137.74.34: 1 time


 Received disconnect:
    11: Bye Bye : 3807 Time(s)

 SFTP subsystem requests: 2 Time(s)

 **Unmatched Entries**
 PAM service(sshd) ignoring max retries; 5 > 3 : 7 time(s)
 PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.221.114.3  : 7 time(s)
 PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.221.114.3  : 7 time(s)

 ---------------------- SSHD End -------------------------


 --------------------- Sudo (secure-log) Begin ------------------------


 ==============================================================================

 user => root
 --------------
 /bin/bash - 4 Times.
 /etc/init.d/squid - 6 Times.

 ---------------------- Sudo (secure-log) End -------------------------


 --------------------- Disk Space Begin ------------------------

 Filesystem      Size  Used Avail Use% Mounted on
 /dev/vda1       5.0G  1.8G  3.0G  37% /


 ---------------------- Disk Space End -------------------------


 ###################### Logwatch End #########################

Log in or Sign up

watchlog report concerned me

stimpack New Member

Share This Page

Log in or Sign up

watchlog report concerned me

stimpack New Member

Share This Page

Useful Searches