{"id":88,"date":"2012-07-27T14:28:57","date_gmt":"2012-07-27T14:28:57","guid":{"rendered":"http:\/\/www.buildingcubes.com\/?p=88"},"modified":"2012-07-27T14:28:57","modified_gmt":"2012-07-27T14:28:57","slug":"bruit-force-attacks-and-hacking-my-web-server","status":"publish","type":"post","link":"https:\/\/www.voodoo.business\/blog\/2012\/07\/27\/bruit-force-attacks-and-hacking-my-web-server\/","title":{"rendered":"Bruit force attacks and hacking my web server"},"content":{"rendered":"<p>My web server got hacked today, i know because my datacenter contacted me today telling me that there is a bruit force attack originating from my server to another server on a different network, so what is happening is that my server got hacked, then the hacker is using the server she hacked to hack other servers by sending FTP requests.<\/p>\n<p>So, how come i got hacked when i am so obsessed with security, well, in reality, this is just an intermediate machine that i used to run a certain script that would move my mail server, and i did not (and did not see the need) to secure it.<\/p>\n<p>What i usually do to secure my server is simply install fail2ban, in this case i did not out of lazyness but here is how i got hacked and how fail2ban would have protected me.<\/p>\n<p>Before i show you the log files, this whole problem would not happen if i had a strong password combined with fail2ban<\/p>\n<p>In the complaining partie&#8217;s log files<\/p>\n<p>Tue Jul 24 22:28:27 2012: user: hauvouuc service: ftp target: yyy.yyy.yyy.yyy source: xxx.xxx.xxx.xxx<br \/>\nTue Jul 24 22:28:27 2012: user: pkmcndgq service: ftp target: yyy.yyy.yyy.yyy source: xxx.xxx.xxx.xxx<br \/>\nTue Jul 24 22:28:27 2012: user: malumdvc1 service: ftp target: yyy.yyy.yyy.yyy source: xxx.xxx.xxx.xxx<\/p>\n<p>In my log files (auth.log):<\/p>\n<p>Many lines like the following right below each other<\/p>\n<pre>\nJul 24 18:03:08 run sshd[14229]: pam_unix(sshd:auth): check pass; user unknown\nJul 24 18:03:08 run sshd[14229]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=9.12-14-84.ripe.coltfrance.com \nJul 24 18:03:10 run sshd[14229]: Failed password for invalid user ts3 from 84.14.12.9 port 41014 ssh2\nJul 24 18:03:11 run sshd[14231]: Invalid user ts3 from 84.14.12.9\n<\/pre>\n<p>Anod some lines like this<\/p>\n<pre>\nJul 25 15:30:46 run sshd[10728]: pam_unix(sshd:auth): check pass; user unknown\nJul 25 15:30:46 run sshd[10728]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.119.29.135 \nJul 25 15:30:48 run sshd[10728]: Failed password for invalid user public from 217.119.29.135 port 34292 ssh2\nJul 25 15:30:48 run sshd[10730]: Address 217.119.29.135 maps to gamma2-7.cust.smartspb.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\nJul 25 15:30:48 run sshd[10730]: Invalid user public from 217.119.29.135\n<\/pre>\n<p>Thousands of lines like this one<\/p>\n<pre>\nJul 24 14:12:38 run sshd[2025]: error: connect_to 213.186.33.207 port 80: failed.\nJul 24 14:12:39 run sshd[2025]: error: connect_to 192.168.10.24 port 2110: failed.\nJul 24 14:12:39 run sshd[2025]: error: connect_to 195.130.65.50 port 80: failed.\n\nOR\n\nJul 24 06:41:19 run sshd[9824]: error: connect_to 213.186.33.207 port 80: failed.\nJul 24 06:41:19 run sshd[13434]: Failed password for invalid user test from 202.28.123.191 port 37830 ssh2\nJul 24 06:41:20 run sshd[9824]: error: connect_to 213.186.33.207 port 80: failed.\n<\/pre>\n<p>And more like this<\/p>\n<pre>\nJul 24 08:19:18 run sshd[20882]: pam_unix(sshd:auth): check pass; user unknown\nJul 24 08:19:18 run sshd[20882]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=puck748.server4you.de \nJul 24 08:19:21 run sshd[20882]: Failed password for invalid user kk from 85.25.235.73 port 49213 ssh2\nJul 24 08:19:21 run sshd[20884]: Invalid user css from 85.25.235.73\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>My web server got hacked today, i know because my datacenter contacted me today telling me that there is a bruit force attack originating from my server to another server on a different network, so what is happening is that my server got hacked, then the hacker is using the server she hacked to hack [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,14,1],"tags":[],"class_list":["post-88","post","type-post","status-publish","format-standard","hentry","category-linux","category-ssh","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.voodoo.business\/blog\/wp-json\/wp\/v2\/posts\/88","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.voodoo.business\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.voodoo.business\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.voodoo.business\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.voodoo.business\/blog\/wp-json\/wp\/v2\/comments?post=88"}],"version-history":[{"count":0,"href":"https:\/\/www.voodoo.business\/blog\/wp-json\/wp\/v2\/posts\/88\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.voodoo.business\/blog\/wp-json\/wp\/v2\/media?parent=88"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.voodoo.business\/blog\/wp-json\/wp\/v2\/categories?post=88"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.voodoo.business\/blog\/wp-json\/wp\/v2\/tags?post=88"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}