Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Installation / Outgoing attacks to randomIPs "After clean cwp insallation"
« on: December 09, 2022, 08:36:56 AM »
1 week ago I do clean installation centos7 with centos web panel but I dont transfer my website and i dont start using this vps...
Vps created and builded with centos7 from Hetzner panel / new vps server with new ip (not blacklisted) maybe not used from long time ago.
- A few hours later i receive abuse warning mail from Hetzner and i see "17 TB traffic outgoing" used by my vps.
(i never see up 100gb/per month in my life... and this vps not host website.)
- I check server logs, php files, nothing wrong and no one enter my vps via ssh/ftp or cwppanel.
I do malware scan, clamav scan, rkhunter scan, chrootkit scan nothing found, no virus/exploit detected.
I format and rebuild my vps again but iftop screen same as old, i create new ip different vps and do same installation, same attacks happen again my fresh build vps attacking random ips.
When i power-on attacks start again
hetzner panel:
ssh iftop:
a few hours later
hetzner panel:
(breaks=vps stopped)
ssh iftop:
When i create firewall rule from Hetzner panel (incoming 80 8080 53 (deny all other ports)) attacks stop
I think my vps has exploit or virus and i dont do anything but installing cwp...
Could i be missing something, do you have any advice that can help me with this?
Thank you.
Vps created and builded with centos7 from Hetzner panel / new vps server with new ip (not blacklisted) maybe not used from long time ago.
- A few hours later i receive abuse warning mail from Hetzner and i see "17 TB traffic outgoing" used by my vps.
(i never see up 100gb/per month in my life... and this vps not host website.)
- I check server logs, php files, nothing wrong and no one enter my vps via ssh/ftp or cwppanel.
I do malware scan, clamav scan, rkhunter scan, chrootkit scan nothing found, no virus/exploit detected.
I format and rebuild my vps again but iftop screen same as old, i create new ip different vps and do same installation, same attacks happen again my fresh build vps attacking random ips.
When i power-on attacks start again
hetzner panel:
ssh iftop:
a few hours later
hetzner panel:
(breaks=vps stopped)ssh iftop:
When i create firewall rule from Hetzner panel (incoming 80 8080 53 (deny all other ports)) attacks stop
I think my vps has exploit or virus and i dont do anything but installing cwp...
Could i be missing something, do you have any advice that can help me with this?
Thank you.
2
iptables / ssh brute force attacks to random ports/users
« on: March 30, 2022, 12:21:38 PM »
i change my default server ssh port and i have one ssh user(root)
i see a lot of logs like i quote;
ssh brute force attacks from random ips(proxy worldwide) and random users every day(50.000lines+)
i am sure that attackers dont know my ssh port but they try random ports every time.
i think its autorobot but i want to stop and also i m not using this ports like 6080 37676 43952 ...
-- banning is not solution. can i block all ports but www mail ssl ssh (and other must remain open) ports from iptales ?
-- do you have any ideas to help for me with this?
Thank you
i see a lot of logs like i quote;
Quote
Mar 30 15:09:20 server2 sshd[30568]: Invalid user git from 134.209.212.125 port 37676
Mar 30 15:09:20 server2 sshd[30568]: input_userauth_request: invalid user git [preauth]
Mar 30 15:09:20 server2 sshd[30568]: pam_unix(sshd:auth): check pass; user unknown
Mar 30 15:09:20 server2 sshd[30568]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=134.209.212.125
Mar 30 15:09:22 server2 sshd[30568]: Failed password for invalid user git from 134.209.212.125 port 37676 ssh2
Mar 30 15:09:22 server2 sshd[30568]: Received disconnect from 134.209.212.125 port 37676:11: Bye Bye [preauth]
Mar 30 15:09:22 server2 sshd[30568]: Disconnected from 134.209.212.125 port 37676 [preauth]
Mar 30 15:09:25 server2 sshd[30577]: Address 60.30.98.194 maps to no-data, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Mar 30 15:09:25 server2 sshd[30577]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.30.98.194 user=root
Mar 30 15:09:25 server2 sshd[30577]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 30 15:09:28 server2 sshd[30577]: Failed password for root from 60.30.98.194 port 6080 ssh2
Mar 30 15:09:28 server2 sshd[30577]: Received disconnect from 60.30.98.194 port 6080:11: Bye Bye [preauth]
Mar 30 15:09:28 server2 sshd[30577]: Disconnected from 60.30.98.194 port 6080 [preauth]
Mar 30 15:16:52 server2 sshd[618]: Invalid user prueba from 106.13.209.109 port 43952
Mar 30 15:16:52 server2 sshd[618]: input_userauth_request: invalid user prueba [preauth]
Mar 30 15:16:52 server2 sshd[618]: pam_unix(sshd:auth): check pass; user unknown
Mar 30 15:16:52 server2 sshd[618]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=106.13.209.109
Mar 30 15:16:54 server2 sshd[618]: Failed password for invalid user prueba from 106.13.209.109 port 43952 ssh2
Mar 30 15:16:55 server2 sshd[618]: Received disconnect from 106.13.209.109 port 43952:11: Bye Bye [preauth]
Mar 30 15:16:55 server2 sshd[618]: Disconnected from 106.13.209.109 port 43952 [preauth]
ssh brute force attacks from random ips(proxy worldwide) and random users every day(50.000lines+)
i am sure that attackers dont know my ssh port but they try random ports every time.
i think its autorobot but i want to stop and also i m not using this ports like 6080 37676 43952 ...
-- banning is not solution. can i block all ports but www mail ssl ssh (and other must remain open) ports from iptales ?
-- do you have any ideas to help for me with this?
Thank you
3
CentOS 7 Problems / anacron - cron.daily - mysql restart every night (How to stop ?)
« on: January 22, 2021, 11:13:47 AM »
- I want to stop cron.daily - "mysql restart" command but i dont know how.
(help appreciated. thank you.)
Why ?
i need minimum 2 day uptime for analize mysql conf
https://i.postimg.cc/mDRydFxg/screenshot-274.png
also(more importantly) sometimes these restarts cause 5++ minutes mysql downtime
https://i.postimg.cc/GppcvXtL/screenshot-273.png
https://i.postimg.cc/cLYN93cD/screenshot-277.png
------------sample-logs--------------------
email
messages logs
cron logs
mysql logs
-------------logs--------------------
(help appreciated. thank you.)
Why ?
i need minimum 2 day uptime for analize mysql conf
https://i.postimg.cc/mDRydFxg/screenshot-274.png
also(more importantly) sometimes these restarts cause 5++ minutes mysql downtime
https://i.postimg.cc/GppcvXtL/screenshot-273.png
https://i.postimg.cc/cLYN93cD/screenshot-277.png
------------sample-logs--------------------
Quote
Anacron job 'cron.daily' on sitename123.com
messages logs
Quote
Jan 10 03:30:01 servername123 systemd: Stopping MariaDB 10.2.36 database server...
Jan 10 03:30:03 servername123 systemd: Stopped MariaDB 10.2.36 database server.
Jan 10 03:30:04 servername123 systemd: Starting MariaDB 10.2.36 database server...
Jan 10 03:30:05 servername123 mysqld: 2021-01-10 3:30:05 140584771946688 [Note] /usr/sbin/mysqld (mysqld 10.2.36-MariaDB-log) starting as process 18309 ...
Jan 10 03:30:05 servername123 systemd: Started MariaDB 10.2.36 database server.
Jan 10 03:30:05 servername123 systemd: Stopping MariaDB 10.2.36 database server...
Jan 10 03:30:07 servername123 systemd: Stopped MariaDB 10.2.36 database server.
Jan 10 03:30:08 servername123 systemd: Starting MariaDB 10.2.36 database server...
Jan 10 03:30:08 servername123 mysqld: 2021-01-10 3:30:08 139859181062336 [Note] /usr/sbin/mysqld (mysqld 10.2.36-MariaDB-log) starting as process 18482 ...
Jan 10 03:30:08 servername123 systemd: Started MariaDB 10.2.36 database server.
cron logs
Quote
Jan 9 03:27:01 servername123 anacron[22631]: Job `cron.daily' started
Jan 9 03:27:01 servername123 run-parts(/etc/cron.daily)[29233]: starting certwatch
Jan 9 03:27:01 servername123 run-parts(/etc/cron.daily)[29240]: finished certwatch
Jan 9 03:27:01 servername123 run-parts(/etc/cron.daily)[29233]: starting cwp
Jan 9 03:27:22 servername123 run-parts(/etc/cron.daily)[30011]: finished cwp
Jan 9 03:27:22 servername123 run-parts(/etc/cron.daily)[29233]: starting cwp_acme.sh
Jan 9 03:27:22 servername123 run-parts(/etc/cron.daily)[30083]: finished cwp_acme.sh
Jan 9 03:27:22 servername123 run-parts(/etc/cron.daily)[29233]: starting cwp_bandwidth
Jan 9 03:27:23 servername123 run-parts(/etc/cron.daily)[30105]: finished cwp_bandwidth
Jan 9 03:27:23 servername123 run-parts(/etc/cron.daily)[29233]: starting logrotate
Jan 9 03:27:23 servername123 run-parts(/etc/cron.daily)[30112]: finished logrotate
Jan 9 03:27:23 servername123 run-parts(/etc/cron.daily)[29233]: starting man-db.cron
Jan 9 03:27:23 servername123 run-parts(/etc/cron.daily)[30126]: finished man-db.cron
Jan 9 03:27:23 servername123 anacron[22631]: Job `cron.daily' terminated (produced output)
Jan 9 03:27:23 servername123 anacron[22631]: Normal exit (1 job run)
Jan 9 03:28:01 servername123 crond[536]: (root) RELOAD (/var/spool/cron/root)
Jan 9 03:30:01 servername123 CROND[30791]: (root) CMD (/usr/local/bin/svcMonitor)
Jan 9 03:30:01 servername123 CROND[30792]: (root) CMD (/usr/local/bin/svcMonitor-systemd)
Jan 9 03:30:01 servername123 CROND[30799]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jan 9 03:40:01 servername123 CROND[1167]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jan 9 03:45:01 servername123 CROND[2379]: (root) CMD (/usr/local/bin/svcMonitor)
Jan 9 03:45:01 servername123 CROND[2380]: (root) CMD (/usr/local/bin/svcMonitor-systemd)
mysql logs
Quote
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Uses event mutexes
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Compressed tables use zlib 1.2.7
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Using Linux native AIO
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Number of pools: 1
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Using SSE2 crc32 instructions
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Initializing buffer pool, total size = 40M, instances = 1, chunk size = 40M
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Completed initialization of buffer pool
2021-01-10 3:30:05 140584151996160 [Note] InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority().
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Highest supported file format is Barracuda.
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: 128 out of 128 rollback segments are active.
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Creating shared tablespace for temporary tables
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: 5.7.32 started; log sequence number 12347021
2021-01-10 3:30:05 140583850985216 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
2021-01-10 3:30:05 140583850985216 [Note] InnoDB: Buffer pool(s) load completed at 210110 3:30:05
2021-01-10 3:30:05 140584771946688 [Note] Plugin 'FEEDBACK' is disabled.
2021-01-10 3:30:05 140584771946688 [Note] Server socket created on IP: '::'.
2021-01-10 3:30:05 140584771946688 [Note] Reading of all Master_info entries succeeded
2021-01-10 3:30:05 140584771946688 [Note] Added new Master_info '' to hash table
2021-01-10 3:30:05 140584771946688 [Note] /usr/sbin/mysqld: ready for connections.
Version: '10.2.36-MariaDB-log' socket: '/var/lib/mysql/mysql.sock' port: 3306 MariaDB Server
2021-01-10 3:30:05 140584349431552 [Note] /usr/sbin/mysqld (initiated by: unknown): Normal shutdown
2021-01-10 3:30:05 140584349431552 [Note] Event Scheduler: Purging the queue. 0 events
2021-01-10 3:30:05 140584101639936 [Note] InnoDB: FTS optimize thread exiting.
2021-01-10 3:30:05 140584349431552 [Note] InnoDB: Starting shutdown...
2021-01-10 3:30:05 140583850985216 [Note] InnoDB: Dumping buffer pool(s) to /var/lib/mysql/ib_buffer_pool
2021-01-10 3:30:05 140583850985216 [Note] InnoDB: Buffer pool(s) dump completed at 210110 3:30:05
2021-01-10 3:30:07 140584349431552 [Note] InnoDB: Shutdown completed; log sequence number 12347040
2021-01-10 3:30:07 140584349431552 [Note] InnoDB: Removed temporary tablespace data file: "ibtmp1"
2021-01-10 3:30:07 140584349431552 [Note] /usr/sbin/mysqld: Shutdown complete
-------------logs--------------------
4
MySQL / cron.daily - mysql restart every night (How to stop ?)
« on: January 10, 2021, 11:48:21 AM »
- I want to stop cron.daily - "mysql restart" command but i dont know how.
(help appreciated. thank you.)
Why ?
i need minimum 2 day uptime for analize mysql conf
https://i.postimg.cc/mDRydFxg/screenshot-274.png
also(more importantly) sometimes these restarts cause 5 minutes mysql downtime
https://i.postimg.cc/GppcvXtL/screenshot-273.png
-------------logs--------------------
email
messages logs
cron logs
mysql logs
-------------logs--------------------
(help appreciated. thank you.)
Why ?
i need minimum 2 day uptime for analize mysql conf
https://i.postimg.cc/mDRydFxg/screenshot-274.png
also(more importantly) sometimes these restarts cause 5 minutes mysql downtime
https://i.postimg.cc/GppcvXtL/screenshot-273.png
-------------logs--------------------
Quote
Anacron job 'cron.daily' on sitename123.com
messages logs
Quote
Jan 10 03:30:01 servername123 systemd: Stopping MariaDB 10.2.36 database server...
Jan 10 03:30:03 servername123 systemd: Stopped MariaDB 10.2.36 database server.
Jan 10 03:30:04 servername123 systemd: Starting MariaDB 10.2.36 database server...
Jan 10 03:30:05 servername123 mysqld: 2021-01-10 3:30:05 140584771946688 [Note] /usr/sbin/mysqld (mysqld 10.2.36-MariaDB-log) starting as process 18309 ...
Jan 10 03:30:05 servername123 systemd: Started MariaDB 10.2.36 database server.
Jan 10 03:30:05 servername123 systemd: Stopping MariaDB 10.2.36 database server...
Jan 10 03:30:07 servername123 systemd: Stopped MariaDB 10.2.36 database server.
Jan 10 03:30:08 servername123 systemd: Starting MariaDB 10.2.36 database server...
Jan 10 03:30:08 servername123 mysqld: 2021-01-10 3:30:08 139859181062336 [Note] /usr/sbin/mysqld (mysqld 10.2.36-MariaDB-log) starting as process 18482 ...
Jan 10 03:30:08 servername123 systemd: Started MariaDB 10.2.36 database server.
cron logs
Quote
Jan 9 03:27:01 servername123 anacron[22631]: Job `cron.daily' started
Jan 9 03:27:01 servername123 run-parts(/etc/cron.daily)[29233]: starting certwatch
Jan 9 03:27:01 servername123 run-parts(/etc/cron.daily)[29240]: finished certwatch
Jan 9 03:27:01 servername123 run-parts(/etc/cron.daily)[29233]: starting cwp
Jan 9 03:27:22 servername123 run-parts(/etc/cron.daily)[30011]: finished cwp
Jan 9 03:27:22 servername123 run-parts(/etc/cron.daily)[29233]: starting cwp_acme.sh
Jan 9 03:27:22 servername123 run-parts(/etc/cron.daily)[30083]: finished cwp_acme.sh
Jan 9 03:27:22 servername123 run-parts(/etc/cron.daily)[29233]: starting cwp_bandwidth
Jan 9 03:27:23 servername123 run-parts(/etc/cron.daily)[30105]: finished cwp_bandwidth
Jan 9 03:27:23 servername123 run-parts(/etc/cron.daily)[29233]: starting logrotate
Jan 9 03:27:23 servername123 run-parts(/etc/cron.daily)[30112]: finished logrotate
Jan 9 03:27:23 servername123 run-parts(/etc/cron.daily)[29233]: starting man-db.cron
Jan 9 03:27:23 servername123 run-parts(/etc/cron.daily)[30126]: finished man-db.cron
Jan 9 03:27:23 servername123 anacron[22631]: Job `cron.daily' terminated (produced output)
Jan 9 03:27:23 servername123 anacron[22631]: Normal exit (1 job run)
Jan 9 03:28:01 servername123 crond[536]: (root) RELOAD (/var/spool/cron/root)
Jan 9 03:30:01 servername123 CROND[30791]: (root) CMD (/usr/local/bin/svcMonitor)
Jan 9 03:30:01 servername123 CROND[30792]: (root) CMD (/usr/local/bin/svcMonitor-systemd)
Jan 9 03:30:01 servername123 CROND[30799]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jan 9 03:40:01 servername123 CROND[1167]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jan 9 03:45:01 servername123 CROND[2379]: (root) CMD (/usr/local/bin/svcMonitor)
Jan 9 03:45:01 servername123 CROND[2380]: (root) CMD (/usr/local/bin/svcMonitor-systemd)
mysql logs
Quote
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Uses event mutexes
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Compressed tables use zlib 1.2.7
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Using Linux native AIO
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Number of pools: 1
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Using SSE2 crc32 instructions
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Initializing buffer pool, total size = 40M, instances = 1, chunk size = 40M
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Completed initialization of buffer pool
2021-01-10 3:30:05 140584151996160 [Note] InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority().
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Highest supported file format is Barracuda.
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: 128 out of 128 rollback segments are active.
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Creating shared tablespace for temporary tables
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
2021-01-10 3:30:05 140584771946688 [Note] InnoDB: 5.7.32 started; log sequence number 12347021
2021-01-10 3:30:05 140583850985216 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
2021-01-10 3:30:05 140583850985216 [Note] InnoDB: Buffer pool(s) load completed at 210110 3:30:05
2021-01-10 3:30:05 140584771946688 [Note] Plugin 'FEEDBACK' is disabled.
2021-01-10 3:30:05 140584771946688 [Note] Server socket created on IP: '::'.
2021-01-10 3:30:05 140584771946688 [Note] Reading of all Master_info entries succeeded
2021-01-10 3:30:05 140584771946688 [Note] Added new Master_info '' to hash table
2021-01-10 3:30:05 140584771946688 [Note] /usr/sbin/mysqld: ready for connections.
Version: '10.2.36-MariaDB-log' socket: '/var/lib/mysql/mysql.sock' port: 3306 MariaDB Server
2021-01-10 3:30:05 140584349431552 [Note] /usr/sbin/mysqld (initiated by: unknown): Normal shutdown
2021-01-10 3:30:05 140584349431552 [Note] Event Scheduler: Purging the queue. 0 events
2021-01-10 3:30:05 140584101639936 [Note] InnoDB: FTS optimize thread exiting.
2021-01-10 3:30:05 140584349431552 [Note] InnoDB: Starting shutdown...
2021-01-10 3:30:05 140583850985216 [Note] InnoDB: Dumping buffer pool(s) to /var/lib/mysql/ib_buffer_pool
2021-01-10 3:30:05 140583850985216 [Note] InnoDB: Buffer pool(s) dump completed at 210110 3:30:05
2021-01-10 3:30:07 140584349431552 [Note] InnoDB: Shutdown completed; log sequence number 12347040
2021-01-10 3:30:07 140584349431552 [Note] InnoDB: Removed temporary tablespace data file: "ibtmp1"
2021-01-10 3:30:07 140584349431552 [Note] /usr/sbin/mysqld: Shutdown complete
-------------logs--------------------
Pages: [1]
