Bruteforce attack made through my server

Support for security such as Firewalls and securing linux
Post Reply
stripie
Posts: 6
Joined: 2021/12/07 03:21:00

Bruteforce attack made through my server

Post by stripie » 2022/12/21 16:48:47

I received an email that a attack was made from my server in an attempt to bruteforce SSH passwords. There were no logins made to my system so I'm trying to figure out what other ways it might have happened. My server is running Apache, PHP, MySQL, and Tomcat. Any help would be appreciated.

User avatar
TrevorH
Site Admin
Posts: 33262
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Bruteforce attack made through my server

Post by TrevorH » 2022/12/21 17:14:35

Do you have logs showing the attack and when it was?

It's possible that your server has been compromised so you should look for signs of it. Depending on the competency of the compromiser, there may be signs of it in the output from last -200 (shows the last 200 logins), or in /var/log/messages, /var/log/secure and/or in your http log files under /var/log/httpd by default.

If last -200 shows unknown logins as root from some ip address that is not yours then you will need to backup all your data and reinstall from scratch and restore it afterwards. There is no recovery from a root level compromise.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

stripie
Posts: 6
Joined: 2021/12/07 03:21:00

Re: Bruteforce attack made through my server

Post by stripie » 2022/12/21 17:40:49

TrevorH wrote:
2022/12/21 17:14:35
Do you have logs showing the attack and when it was?

It's possible that your server has been compromised so you should look for signs of it. Depending on the competency of the compromiser, there may be signs of it in the output from last -200 (shows the last 200 logins), or in /var/log/messages, /var/log/secure and/or in your http log files under /var/log/httpd by default.

If last -200 shows unknown logins as root from some ip address that is not yours then you will need to backup all your data and reinstall from scratch and restore it afterwards. There is no recovery from a root level compromise.
No, I haven't found anything in logs. From the logs, there were no successful login attempts made.

User avatar
TrevorH
Site Admin
Posts: 33262
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Bruteforce attack made through my server

Post by TrevorH » 2022/12/21 18:21:38

I meant logs from whoever told you about this so that you know what date/time to be looking at.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

stripie
Posts: 6
Joined: 2021/12/07 03:21:00

Re: Bruteforce attack made through my server

Post by stripie » 2022/12/21 18:27:21

TrevorH wrote:
2022/12/21 18:21:38
I meant logs from whoever told you about this so that you know what date/time to be looking at.
Yes I do have that, I wasn't able to find anything in the system logs around that time.

User avatar
TrevorH
Site Admin
Posts: 33262
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Bruteforce attack made through my server

Post by TrevorH » 2022/12/21 18:58:50

So what is the output from last -200 - is there any at all? If there is no output then it's also just as indicative of a root level compromise than entries around the right time. What it should list is all the logins in reverse chronological order. If there are none or only a few starting relatively recently then it might indicate that someone has broken in and zeroed it out to cover their tracks. Also hceck to see if you have more than one /var/log/wtmp* file as they get rotated and older ones might be named differently.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

stripie
Posts: 6
Joined: 2021/12/07 03:21:00

Re: Bruteforce attack made through my server

Post by stripie » 2022/12/21 19:25:05

TrevorH wrote:
2022/12/21 18:58:50
So what is the output from last -200 - is there any at all? If there is no output then it's also just as indicative of a root level compromise than entries around the right time. What it should list is all the logins in reverse chronological order. If there are none or only a few starting relatively recently then it might indicate that someone has broken in and zeroed it out to cover their tracks. Also hceck to see if you have more than one /var/log/wtmp* file as they get rotated and older ones might be named differently.
Sorry my previous comment wasn't clear. I meant that there were no login attempts that weren't mine. The output was just my previous logins, last one was about a day ago.

Whoever
Posts: 1363
Joined: 2013/09/06 03:12:10

Re: Bruteforce attack made through my server

Post by Whoever » 2022/12/21 21:53:05

stripie wrote:
2022/12/21 19:25:05


Sorry my previous comment wasn't clear. I meant that there were no login attempts that weren't mine. The output was just my previous logins, last one was about a day ago.
You need to look for signs that the webserver process has been compromised and used for the SSH attacks. Does your system have SELinux in enforcing mode? If not, you should probably enable that now.

Post Reply