Bruteforce attack made through my server

[stripie]

I received an email that a attack was made from my server in an attempt to bruteforce SSH passwords. There were no logins made to my system so I'm trying to figure out what other ways it might have happened. My server is running Apache, PHP, MySQL, and Tomcat. Any help would be appreciated.

[TrevorH]

Do you have logs showing the attack and when it was?

It's possible that your server has been compromised so you should look for signs of it. Depending on the competency of the compromiser, there may be signs of it in the output from last -200 (shows the last 200 logins), or in /var/log/messages, /var/log/secure and/or in your http log files under /var/log/httpd by default.

If last -200 shows unknown logins as root from some ip address that is not yours then you will need to backup all your data and reinstall from scratch and restore it afterwards. There is no recovery from a root level compromise.

[stripie]

Do you have logs showing the attack and when it was?

It's possible that your server has been compromised so you should look for signs of it. Depending on the competency of the compromiser, there may be signs of it in the output from last -200 (shows the last 200 logins), or in /var/log/messages, /var/log/secure and/or in your http log files under /var/log/httpd by default.

If last -200 shows unknown logins as root from some ip address that is not yours then you will need to backup all your data and reinstall from scratch and restore it afterwards. There is no recovery from a root level compromise.

No, I haven't found anything in logs. From the logs, there were no successful login attempts made.

[TrevorH]

I meant logs from whoever told you about this so that you know what date/time to be looking at.

[stripie]

I meant logs from whoever told you about this so that you know what date/time to be looking at.

Yes I do have that, I wasn't able to find anything in the system logs around that time.

[TrevorH]

So what is the output from last -200 - is there any at all? If there is no output then it's also just as indicative of a root level compromise than entries around the right time. What it should list is all the logins in reverse chronological order. If there are none or only a few starting relatively recently then it might indicate that someone has broken in and zeroed it out to cover their tracks. Also hceck to see if you have more than one /var/log/wtmp* file as they get rotated and older ones might be named differently.

[stripie]

So what is the output from last -200 - is there any at all? If there is no output then it's also just as indicative of a root level compromise than entries around the right time. What it should list is all the logins in reverse chronological order. If there are none or only a few starting relatively recently then it might indicate that someone has broken in and zeroed it out to cover their tracks. Also hceck to see if you have more than one /var/log/wtmp* file as they get rotated and older ones might be named differently.

Sorry my previous comment wasn't clear. I meant that there were no login attempts that weren't mine. The output was just my previous logins, last one was about a day ago.

[Whoever]

Sorry my previous comment wasn't clear. I meant that there were no login attempts that weren't mine. The output was just my previous logins, last one was about a day ago.

You need to look for signs that the webserver process has been compromised and used for the SSH attacks. Does your system have SELinux in enforcing mode? If not, you should probably enable that now.