# Glaube mein Server wure gehackt!???



## Sigix (15. Okt. 2010)

Hallo Leute,

ich weiß nicht ob es nur Log einträge bzw. Angriffsversuche sind oder ob schon wer auf meinem Server wütet!???

Habe ein paar Log Einträge die mir nicht gefallen!
Anbei die Log-Einträge:

fail2ban-Log:

2010-10-14 19:04:48,493 fail2ban.actions: WARNING [ssh] Ban 61.240.36.1
2010-10-14 19:14:48,541 fail2ban.actions: WARNING [ssh] Unban 61.240.36.1
2010-10-14 19:28:59,556 fail2ban.actions: WARNING [ssh] Ban 180.210.26.53
2010-10-14 19:38:59,572 fail2ban.actions: WARNING [ssh] Unban 180.210.26.53
2010-10-14 22:23:32,596 fail2ban.actions: WARNING [ssh] Ban 218.93.116.166
2010-10-14 22:33:32,612 fail2ban.actions: WARNING [ssh] Unban 218.93.116.166
2010-10-15 00:09:20,791 fail2ban.actions: WARNING [ssh] Ban 190.152.99.19
2010-10-15 00:19:20,803 fail2ban.actions: WARNING [ssh] Unban 190.152.99.19
2010-10-15 00:50:08,819 fail2ban.actions: WARNING [ssh] Ban 180.210.26.53
2010-10-15 01:00:08,831 fail2ban.actions: WARNING [ssh] Unban 180.210.26.53

Clamav-Log
Fri Oct 15 00:36:30 2010 -> SelfCheck: Database status OK.
Fri Oct 15 01:16:37 2010 -> /var/lib/amavis/tmp/amavis-20101015T004858-31641/parts/p005: Suspect.Trojan.Generic.FD-4(ed691cabda1bc5f8447d747558f8b64e:60928) FOUND
Fri Oct 15 01:36:50 2010 -> SelfCheck: Database status OK.
Fri Oct 15 02:38:41 2010 -> SelfCheck: Database status OK.
Fri Oct 15 03:41:21 2010 -> SelfCheck: Database status OK.
Fri Oct 15 04:44:58 2010 -> SelfCheck: Database status OK.
Fri Oct 15 05:05:29 2010 -> /var/lib/amavis/tmp/amavis-20101015T044612-04083/parts/p005: Suspect.Trojan.Generic.FD-4(ed691cabda1bc5f8447d747558f8b64e:60928) FOUND
Fri Oct 15 05:07:29 2010 -> /var/lib/amavis/tmp/amavis-20101015T042049-03506/parts/p005: Suspect.Trojan.Generic.FD-4(ed691cabda1bc5f8447d747558f8b64e:60928) FOUND
Fri Oct 15 05:52:19 2010 -> SelfCheck: Database modification detected. Forcing reload.
Fri Oct 15 05:52:20 2010 -> Reading databases from /var/lib/clamav
Fri Oct 15 05:52:31 2010 -> Database correctly reloaded (843369 signatures)
Fri Oct 15 06:28:58 2010 -> /var/lib/amavis/tmp/amavis-20101015T051504-04604/parts/p006: Suspect.Trojan.Generic.FD-4(ed691cabda1bc5f8447d747558f8b64e:60928) FOUND
Fri Oct 15 06:28:58 2010 -> /var/lib/amavis/tmp/amavis-20101015T051504-04604/parts/p005: Suspect.Trojan.Generic.FD-4(ed691cabda1bc5f8447d747558f8b64e:60928) FOUND
Fri Oct 15 06:54:10 2010 -> SelfCheck: Database status OK.
Fri Oct 15 07:54:14 2010 -> SelfCheck: Database status OK.
Fri Oct 15 08:54:34 2010 -> SelfCheck: Database status OK.
Fri Oct 15 09:54:48 2010 -> SelfCheck: Database status OK.
Fri Oct 15 10:19:07 2010 -> /var/lib/amavis/tmp/amavis-20101015T101215-28125/parts/p005: Suspect.Trojan.Generic.FD-4(ed691cabda1bc5f8447d747558f8b64e:60928) FOUND

ISPC Cron.Log
tail: write error: Broken pipe
tail: write error: Broken pipe
tail: write error: Broken pipe

System-log
Oct 15 10:15:01 mail1 pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Oct 15 10:15:01 mail1 pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Oct 15 10:19:12 mail1 pure-ftpd: (?@189.44.80.3) [INFO] New connection from 189.44.80.3
Oct 15 10:19:13 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
Oct 15 10:19:15 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
Oct 15 10:19:21 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
Oct 15 10:19:23 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
Oct 15 10:19:30 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
Oct 15 10:19:32 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
Oct 15 10:19:44 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
Oct 15 10:19:47 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
Oct 15 10:20:01 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
Oct 15 10:20:01 mail1 pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Oct 15 10:20:01 mail1 pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Oct 15 10:20:02 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
Oct 15 10:20:18 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
Oct 15 10:20:21 mail1 pure-ftpd: (?@189.44.80.3) [INFO] New connection from 189.44.80.3
Oct 15 10:20:21 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
Oct 15 10:20:23 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
Oct 15 10:20:28 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
Oct 15 10:20:30 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
Oct 15 10:20:39 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
Oct 15 10:20:41 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
Oct 15 10:20:52 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
Oct 15 10:20:54 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
Oct 15 10:21:08 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
Oct 15 10:21:10 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
Oct 15 10:21:26 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
Oct 15 10:21:28 mail1 pure-ftpd: (?@189.44.80.3) [INFO] New connection from 189.44.80.3
Oct 15 10:21:29 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
Oct 15 10:21:31 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
Oct 15 10:21:36 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
Oct 15 10:21:37 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
Oct 15 10:21:46 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
Oct 15 10:21:48 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
Oct 15 10:21:59 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
Oct 15 10:22:00 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
Oct 15 10:22:13 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
Oct 15 10:22:15 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]
Oct 15 10:22:31 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
Oct 15 10:22:34 mail1 pure-ftpd: (?@189.44.80.3) [INFO] New connection from 189.44.80.3
Oct 15 10:22:35 mail1 pure-ftpd: (?@189.44.80.3) [INFO] PAM_RHOST enabled. Getting the peer address
Oct 15 10:22:37 mail1 pure-ftpd: (?@189.44.80.3) [WARNING] Authentication failed for user [oracle]

Mail-Warn-Log
Oct 15 09:46:20 mail1 postfix/smtpd[27053]: warning: 115.111.47.226: hostname 115.111.47.226.static-delhi.vsnl.net.in verification failed: Name or service not known
Oct 15 09:46:32 mail1 postfix/smtpd[27053]: warning: 113.167.168.45: address not listed for hostname localhost
Oct 15 09:47:26 mail1 postfix/smtpd[27053]: warning: 113.167.231.194: address not listed for hostname localhost
Oct 15 09:50:40 mail1 postfix/smtpd[27259]: warning: 89.122.125.251: hostname adsl89-122-125-251.romtelecom.net verification failed: Name or service not known
Oct 15 09:58:16 mail1 postfix/smtpd[27259]: warning: 59.180.186.50: hostname triband-del-59.180.186.50.bol.net.in verification failed: Name or service not known
Oct 15 10:01:10 mail1 postfix/smtpd[27670]: warning: 41.248.245.37: hostname static41-37-244-248-244.adsl41-16.iam.net.ma verification failed: Name or service not known
Oct 15 10:05:59 mail1 postfix/smtpd[27830]: warning: 60.223.247.120: address not listed for hostname 120.247.223.60.adsl-pool.sx.cn
Oct 15 10:07:39 mail1 postfix/smtpd[27670]: warning: 95.215.49.13: hostname pool-95-215-49-13.optima-east.net verification failed: Name or service not known
Oct 15 10:16:15 mail1 postfix/smtpd[28286]: warning: 122.201.22.62: hostname com22-62.mcscom.mn verification failed: Name or service not known
Oct 15 10:18:57 mail1 postfix/smtpd[28286]: warning: 122.164.32.208: hostname ABTS-TN-dynamic-208.32.164.122.airtelbroadband.in verification failed: Name or service not known
Oct 15 10:26:48 mail1 postfix/smtpd[28644]: warning: 118.96.66.246: hostname 246.subnet118-96-66.astinet.telkom.net.id verification failed: Name or service not known
Oct 15 10:26:52 mail1 postfix/smtpd[28286]: warning: 217.12.245.74: hostname host-74.217-12-245.rr.net21.ru verification failed: Name or service not known
Oct 15 10:27:56 mail1 postfix/smtpd[28286]: warning: 221.135.126.74: hostname 221-135-126-74.sify.net verification failed: Name or service not known
Oct 15 10:29:40 mail1 postfix/smtpd[28830]: warning: 113.190.218.192: address not listed for hostname localhost
Oct 15 10:30:38 mail1 postfix/smtpd[28893]: warning: 112.135.104.253: hostname SLT-BB-CUST.slt.lk verification failed: Name or service not known
Oct 15 10:33:17 mail1 postfix/smtpd[28830]: warning: 210.89.32.145: hostname Static-32-145.pacenet-india.com verification failed: Name or service not known
Oct 15 10:37:42 mail1 postfix/smtpd[29058]: warning: 93.182.238.152: hostname 152.238.182-93.rev.gaoland.net verification failed: Name or service not known
Oct 15 10:38:06 mail1 postfix/smtpd[28830]: warning: 113.168.25.78: address not listed for hostname localhost


Mail queue ist leer


Kann mir da wer weiterhelfen????
Der Eintrag was mich unruhig macht ist folgender im System-Log
"Oct 15 10:19:12 mail1 pure-ftpd: (?@189.44.80.3) [INFO] New connection from 189.44.80.3"

Ich kenne diese IP nicht!

Bitte um Hilfe,..danke!


----------



## Till (15. Okt. 2010)

Das ist alles ok, Dein Server wurde nicht gehackt oder zumindest deutet aus den Logs nichts darauf hin. das sind die üblichen Versuche von script kiddies und bots. Dafür ist ja eben eine antivirus siftware und fail2ban installiert.



> "Oct 15 10:19:12 mail1 pure-ftpd: (?@189.44.80.3) [INFO] New connection from 189.44.80.3"


New connection beutet nur dass jemand sich mit dem server verbunden hat bzw. den port gescannt hat und nicht dass er sich auch einloggen konnte.


----------



## Sigix (15. Okt. 2010)

Zitat von Till:


> Das ist alles ok, Dein Server wurde nicht gehackt oder zumindest deutet aus den Logs nichts darauf hin. das sind die üblichen Versuche von script kiddies und bots. Dafür ist ja eben eine antivirus siftware und fail2ban installiert.
> 
> 
> 
> New connection beutet nur dass jemand sich mit dem server verbunden hat bzw. den port gescannt hat und nicht dass er sich auch einloggen konnte.


 
Alles klar danke dafür,.... hab schon das schlimmste befürchtet! ;-)
Danke für deine Hilfe ;-)


----------

