Server trying to ssh into itself
I am confused. I installed csf I have a good amount of people trying to brute force into my ssh but csf firewall is blocking them but 1 problem ... Why would my own server try to login to itself and fail. Has my server been hacked ?
Jul 2 21:15:18 oc lfd[25905]: Failed SSH login from 209.159.152.202 - ignored
That ip is my server ip lol like wtf ? I'm tripping out. Any help please ? It would be appreciated if anyone could help
-
That's not normal AFAIK. I'd look for any suspicious PHP scripts running, or any recently uploaded/modified. Some scripts used on hacked websites try to brute-force the local host since the firewall won't block the servers own IP for failed logins. If you get lucky and catch it ongoing, lsof -i :22 (or your SSH port) may help you find a PID to investigate. 0 -
sshd 1466 root 3u IPv4 10323 0t0 TCP *:ssh (LISTEN) sshd 1466 root 4u IPv6 10325 0t0 TCP *:ssh (LISTEN) sshd 9830 root 3r IPv4 317444 0t0 TCP oc.theochost.com:ssh->ip68-23.oc.onet:50589 ip 68.23 is my ip... so am i hacked? 0 -
Jun 30 03:10:27 oc sshd[4520]: pam_unix(sshd:session): session opened for user root by (uid=0) Jun 30 03:16:16 oc sshd[1458]: Received signal 15; terminating. Jun 30 03:16:17 oc sshd[4520]: Exiting on signal 15 Jun 30 03:16:17 oc sshd[4520]: pam_unix(sshd:session): session closed for user root Jun 30 03:17:57 oc sshd[7085]: Server listening on 0.0.0.0 port 22. Jun 30 03:17:57 oc sshd[7085]: Server listening on :: port 22. Jun 30 03:19:30 oc sshd[7779]: Accepted password for root from 68.231.221.157 port 61700 ssh2 Jun 30 03:19:30 oc sshd[7779]: pam_unix(sshd:session): session opened for user root by (uid=0) Jun 30 03:27:33 oc sshd[7085]: Received signal 15; terminating. Jun 30 03:27:33 oc sshd[7779]: Exiting on signal 15 Jun 30 03:27:33 oc sshd[7779]: pam_unix(sshd:session): session closed for user root Jun 30 03:28:39 oc sshd[1461]: Server listening on 0.0.0.0 port 22. Jun 30 03:28:39 oc sshd[1461]: Server listening on :: port 22. Jun 30 03:30:26 oc sshd[2155]: refused connect from 91.208.16.232 (91.208.16.232) Jun 30 05:30:00 oc atd[8992]: pam_unix(atd:session): session opened for user root by (uid=0) Jun 30 05:30:52 oc atd[8992]: pam_unix(atd:session): session closed for user root Jun 30 07:00:18 oc sshd[12028]: refused connect from 92.114.191.15 (92.114.191.15) Jun 30 07:00:18 oc sshd[12029]: refused connect from 92.114.191.15 (92.114.191.15) Jun 30 07:00:18 oc sshd[12030]: refused connect from 92.114.191.15 (92.114.191.15) Jun 30 07:00:18 oc sshd[12031]: refused connect from 92.114.191.15 (92.114.191.15) Jun 30 07:00:18 oc sshd[12032]: refused connect from 92.114.191.15 (92.114.191.15) Jun 30 10:01:31 oc sshd[17780]: refused connect from 1.93.27.10 (1.93.27.10) Jun 30 10:01:42 oc sshd[17781]: refused connect from 1.93.27.10 (1.93.27.10) Jun 30 16:32:35 oc sshd[25284]: refused connect from 91.208.16.232 (91.208.16.232) Jun 30 17:50:09 oc sshd[26741]: refused connect from 91.208.16.232 (91.208.16.232) Jun 30 20:11:37 oc sshd[29445]: refused connect from 198.74.116.2 (198.74.116.2) Jun 30 20:11:38 oc sshd[29447]: refused connect from 198.74.116.2 (198.74.116.2) Jun 30 20:11:39 oc sshd[29450]: refused connect from 198.74.116.2 (198.74.116.2) Jun 30 20:11:39 oc sshd[29451]: refused connect from 198.74.116.2 (198.74.116.2) Jun 30 20:11:40 oc sshd[29453]: refused connect from 198.74.116.2 (198.74.116.2) Jun 30 21:03:26 oc sshd[31224]: refused connect from 180.179.212.222 (180.179.212.222) Jun 30 21:03:26 oc sshd[31225]: refused connect from 180.179.212.222 (180.179.212.222) Jun 30 21:03:26 oc sshd[31226]: refused connect from 180.179.212.222 (180.179.212.222) Jun 30 21:03:26 oc sshd[31227]: refused connect from 180.179.212.222 (180.179.212.222) Jun 30 21:03:26 oc sshd[31228]: refused connect from 180.179.212.222 (180.179.212.222) Jun 30 22:51:01 oc sshd[2325]: refused connect from 91.208.16.232 (91.208.16.232) Jul 1 00:21:31 oc sshd[4515]: refused connect from 112.78.11.159 (112.78.11.159) Jul 1 00:21:31 oc sshd[4516]: refused connect from 112.78.11.159 (112.78.11.159) Jul 1 00:21:31 oc sshd[4517]: refused connect from 112.78.11.159 (112.78.11.159) Jul 1 00:21:31 oc sshd[4518]: refused connect from 112.78.11.159 (112.78.11.159) Jul 1 00:21:31 oc sshd[4519]: refused connect from 112.78.11.159 (112.78.11.159) Jul 1 00:45:52 oc sshd[5013]: refused connect from 88.54.56.220 (88.54.56.220) Jul 1 00:45:52 oc sshd[5015]: refused connect from 88.54.56.220 (88.54.56.220) Jul 1 00:45:52 oc sshd[5014]: refused connect from 88.54.56.220 (88.54.56.220) Jul 1 00:45:52 oc sshd[5016]: refused connect from 88.54.56.220 (88.54.56.220) Jul 1 00:45:53 oc sshd[5017]: refused connect from 88.54.56.220 (88.54.56.220) Jul 1 03:46:10 oc sshd[9108]: refused connect from 64.20.227.133 (64.20.227.133) Jul 1 05:14:31 oc sshd[12189]: refused connect from 141.105.68.102 (141.105.68.102) Jul 1 05:14:31 oc sshd[12190]: refused connect from 141.105.68.102 (141.105.68.102) Jul 1 05:14:32 oc sshd[12191]: refused connect from 141.105.68.102 (141.105.68.102) Jul 1 05:36:00 oc atd[16889]: pam_unix(atd:session): session opened for user root by (uid=0) Jul 1 05:38:26 oc atd[16889]: pam_unix(atd:session): session closed for user root Jul 1 06:02:45 oc sshd[1461]: Received signal 15; terminating. Jul 1 06:03:54 oc sshd[1466]: Server listening on 0.0.0.0 port 22. Jul 1 06:03:54 oc sshd[1466]: Server listening on :: port 22. Jul 1 09:14:30 oc sshd[7570]: refused connect from 1.93.26.26 (1.93.26.26) Jul 1 09:14:50 oc sshd[7579]: refused connect from 1.93.26.26 (1.93.26.26) Jul 1 10:16:16 oc sshd[9542]: refused connect from 113.171.10.39 (113.171.10.39) Jul 1 10:16:16 oc sshd[9543]: refused connect from 113.171.10.39 (113.171.10.39) Jul 1 10:16:17 oc sshd[9544]: refused connect from 113.171.10.39 (113.171.10.39) Jul 1 10:16:17 oc sshd[9545]: refused connect from 113.171.10.39 (113.171.10.39) Jul 1 10:16:17 oc sshd[9546]: refused connect from 113.171.10.39 (113.171.10.39) Jul 1 17:13:47 oc sshd[17577]: refused connect from 1.93.37.212 (1.93.37.212) Jul 1 17:15:58 oc sshd[17643]: refused connect from 1.93.37.212 (1.93.37.212) Jul 1 19:10:52 oc sshd[19577]: refused connect from 71.6.167.142 (71.6.167.142) Jul 1 19:10:57 oc sshd[19578]: refused connect from 71.6.167.142 (71.6.167.142) Jul 1 19:11:01 oc sshd[19579]: refused connect from 71.6.167.142 (71.6.167.142) Jul 1 22:13:51 oc sshd[23456]: refused connect from 209.159.152.202 (209.159.152.202) Jul 2 01:33:31 oc sshd[27453]: refused connect from 61.174.51.219 (61.174.51.219) Jul 2 01:33:44 oc sshd[27456]: refused connect from 61.174.51.219 (61.174.51.219) Jul 2 01:34:26 oc sshd[27467]: refused connect from 61.174.51.219 (61.174.51.219) Jul 2 03:48:45 oc sshd[30339]: refused connect from 192.99.200.88 (192.99.200.88) Jul 2 06:04:21 oc atd[3710]: pam_unix(atd:session): session opened for user root by (uid=0) Jul 2 06:05:01 oc atd[3710]: pam_unix(atd:session): session closed for user root Jul 2 07:08:31 oc sshd[5973]: refused connect from 71.6.165.200 (71.6.165.200) Jul 2 08:34:11 oc sshd[8975]: refused connect from 189.168.43.148 (189.168.43.148) Jul 2 09:23:03 oc sshd[10588]: refused connect from 71.6.165.200 (71.6.165.200) Jul 2 09:23:05 oc sshd[10590]: refused connect from 71.6.165.200 (71.6.165.200) Jul 2 09:23:11 oc sshd[10592]: refused connect from 71.6.165.200 (71.6.165.200) Jul 2 14:48:36 oc sshd[22153]: refused connect from 209.159.152.202 (209.159.152.202) Jul 2 16:41:04 oc sshd[26055]: refused connect from 113.171.10.20 (113.171.10.20) Jul 2 16:41:04 oc sshd[26056]: refused connect from 113.171.10.20 (113.171.10.20) Jul 2 16:41:05 oc sshd[26057]: refused connect from 113.171.10.20 (113.171.10.20) Jul 2 16:41:05 oc sshd[26058]: refused connect from 113.171.10.20 (113.171.10.20) Jul 2 16:41:06 oc sshd[26061]: refused connect from 113.171.10.20 (113.171.10.20) Jul 2 16:55:42 oc sshd[26296]: refused connect from 209.159.152.202 (209.159.152.202) Jul 2 17:50:19 oc sshd[27220]: refused connect from 1.93.26.149 (1.93.26.149) Jul 2 17:50:27 oc sshd[27223]: refused connect from 1.93.26.149 (1.93.26.149) Jul 2 19:59:47 oc sshd[31044]: refused connect from 192.99.200.88 (192.99.200.88) Jul 2 21:04:23 oc sshd[738]: refused connect from 198.71.58.200 (198.71.58.200) Jul 2 21:04:23 oc sshd[739]: refused connect from 198.71.58.200 (198.71.58.200) Jul 2 21:04:23 oc sshd[740]: refused connect from 198.71.58.200 (198.71.58.200) Jul 2 21:04:23 oc sshd[741]: refused connect from 198.71.58.200 (198.71.58.200) Jul 2 21:04:23 oc sshd[742]: refused connect from 198.71.58.200 (198.71.58.200) Jul 2 21:15:16 oc sshd[1116]: refused connect from 209.159.152.202 (209.159.152.202) Jul 2 22:55:14 oc sshd[3270]: refused connect from 1.93.34.228 (1.93.34.228) Jul 2 22:55:19 oc sshd[3272]: refused connect from 1.93.34.228 (1.93.34.228) Jul 2 22:55:24 oc sshd[3280]: refused connect from 1.93.34.228 (1.93.34.228) Jul 2 22:56:02 oc sshd[3312]: refused connect from 58.1.224.66 (58.1.224.66) Jul 2 22:56:02 oc sshd[3313]: refused connect from 58.1.224.66 (58.1.224.66) Jul 2 22:56:05 oc sshd[3314]: refused connect from 58.1.224.66 (58.1.224.66) Jul 2 23:36:08 oc sshd[4136]: refused connect from 107.150.39.93 (107.150.39.93) Jul 2 23:36:08 oc sshd[4137]: refused connect from 107.150.39.93 (107.150.39.93) Jul 2 23:36:08 oc sshd[4139]: refused connect from 107.150.39.93 (107.150.39.93) Jul 2 23:36:08 oc sshd[4138]: refused connect from 107.150.39.93 (107.150.39.93) Jul 2 23:36:08 oc sshd[4140]: refused connect from 107.150.39.93 (107.150.39.93) Jul 3 00:11:30 oc sshd[4834]: refused connect from 209.159.152.202 (209.159.152.202) Jul 3 00:18:18 oc sshd[4941]: refused connect from 82.221.105.6 (82.221.105.6) Jul 3 04:05:06 oc sshd[9830]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.231.221.157 user=root Jul 3 04:05:08 oc sshd[9830]: Failed password for root from 68.231.221.157 port 50589 ssh2 Jul 3 04:05:14 oc sshd[9830]: Accepted password for root from 68.231.221.157 port 50589 ssh2 Jul 3 04:05:14 oc sshd[9830]: pam_unix(sshd:session): session opened for user root by (uid=0) Jul 3 04:17:22 oc groupadd[10292]: group added to /etc/group: name=rtkit, GID=494 Jul 3 04:17:22 oc groupadd[10292]: group added to /etc/gshadow: name=rtkit Jul 3 04:17:22 oc groupadd[10292]: new group: name=rtkit, GID=494 Jul 3 04:17:22 oc useradd[10297]: new user: name=rtkit, UID=495, GID=494, home=/proc, shell=/sbin/nologin Jul 3 04:30:24 oc sshd[9830]: pam_unix(sshd:session): session closed for user root Jul 3 04:30:37 oc sshd[12282]: Accepted password for root from 68.231.221.157 port 52529 ssh2 Jul 3 04:30:37 oc sshd[12282]: pam_unix(sshd:session): session opened for user root by (uid=0) Jul 3 04:33:53 oc sshd[12282]: pam_unix(sshd:session): session closed for user root Jul 3 04:33:59 oc sshd[12437]: Accepted password for root from 68.231.221.157 port 52701 ssh2 Jul 3 04:33:59 oc sshd[12437]: pam_unix(sshd:session): session opened for user root by (uid=0) Jul 3 04:34:01 oc sshd[12437]: subsystem request for sftp Jul 3 04:41:13 oc sshd[12437]: subsystem request for sftp Jul 3 05:43:41 oc sshd[12437]: pam_unix(sshd:session): session closed for user root Jul 3 06:05:02 oc atd[24557]: pam_unix(atd:session): session opened for user root by (uid=0) Jul 3 06:05:43 oc atd[24557]: pam_unix(atd:session): session closed for user root Jul 3 06:29:20 oc sshd[25054]: Accepted password for root from 68.231.221.157 port 59814 ssh2 Jul 3 06:29:20 oc sshd[25054]: pam_unix(sshd:session): session opened for user root by (uid=0) Jul 3 06:29:21 oc sshd[25054]: subsystem request for sftp
the only approved root access it shows is from me... but it say listening on .0.0.0.0.0.??? is that my server ip maybe shpwing up as my server ip getting denied? [COLOR="silver">- - - Updated - - - whats this in my ssh log? Jul 1 05:36:00 oc atd[16889]: pam_unix(atd:session): session opened for user root by (uid=0) Jul 1 05:38:26 oc atd[16889]: pam_unix(atd:session): session closed for user root why is my own server IP in the log ? Jul 1 22:13:51 oc sshd[23456]: refused connect from 209.159.152.202 (209.159.152.202)0 -
Hello :) Have you checked to see if you have any third-party applications or plugins installed that utilize root access? It could be something that's setup as a cron job. Note: Please ensure you use the "CODE" tags when pasting a large output of data. I've completed this for you on your previous post. Thank you. 0 -
[quote="Homie2, post: 1679271">sshd 1466 root 3u IPv4 10323 0t0 TCP *:ssh (LISTEN) sshd 1466 root 4u IPv6 10325 0t0 TCP *:ssh (LISTEN) sshd 9830 root 3r IPv4 317444 0t0 TCP oc.theochost.com:ssh->ip68-23.oc.onet:50589 ip 68.23 is my ip... so am i hacked?
This is normal, it's just showing the connection that you're currently using. If you saw another connection from the server to itself then that would be what you want to investigate. "listening on 0.0.0.0" just means that SSH listens on every IP assigned to the server. This is also normal. I would start by using ClamAV and/or Maldet to scan your public_html directories for any PHP shell scripts.0 -
[quote="quizknows, post: 1680032">This is normal, it's just showing the connection that you're currently using. If you saw another connection from the server to itself then that would be what you want to investigate. "listening on 0.0.0.0" just means that SSH listens on every IP assigned to the server. This is also normal. I would start by using ClamAV and/or Maldet to scan your public_html directories for any PHP shell scripts.
Hmm since I ran root kit and clam av. I'm not getting my server trying to login to ssh anymore. It found tons of Trojans and malware in my email. Clam av But those viruses don't effect Linux only windows ? Thanks0 -
Yeah typically you can ignore clamAV hits in mail directories, it only really matters in most cases if the hits are in public_html. 0
Please sign in to leave a comment.
Comments
7 comments