中級會員
- UID
- 15831
- 帖子
- 41
- 精華
- 23
- 積分
- 3560
- 金幣
- 3364
- 威望
- 100
- 推廣
- 0
- 閱讀權限
- 30
- 註冊時間
- 2006-6-17
- 最後登錄
- 2008-11-28
|
2樓
大 中
小 發表於 2008-11-23 05:12
回覆 1樓 Kevin 的帖子
Does this logwatch seem concerning? 引用:################### LogWatch 5.2.2 (06/23/04) ####################
Processing Initiated: Wed Jan 24 04:02:03 2007
Date Range Processed: yesterday
Detail Level of Output: 0
Logfiles for Host: server1.egomzez.com
--------------------- Kernel Begin ------------------------
Logged 871 packets on interface eth0
From 24.64.180.61 - 3 packets to udp(1026,1027,1028)
From 24.138.132.242 - 2 packets to tcp(2100)
From 24.153.204.41 - 1 packet to icmp(0)
From 58.158.35.114 - 2 packets to icmp(0)
From 61.28.129.17 - 2 packets to icmp(0)
From 61.98.229.186 - 2 packets to icmp(0)
From 61.180.228.242 - 1 packet to udp(1027)
From 62.116.180.6 - 2 packets to tcp(41222)
From 63.165.104.6 - 2 packets to tcp(2967)
From 63.175.152.104 - 2 packets to icmp(0)
From 63.237.219.166 - 3 packets to tcp(2967)
From 64.4.111.18 - 1 packet to tcp(2968)
From 64.6.196.132 - 1 packet to tcp(2968)
From 64.8.225.20 - 1 packet to tcp(2968)
From 64.16.62.83 - 3 packets to tcp(2967)
From 64.25.182.98 - 2 packets to tcp(2967)
From 64.31.140.59 - 2 packets to tcp(2967)
From 64.31.246.61 - 4 packets to tcp(2967,5900)
From 64.32.207.246 - 4 packets to tcp(2967,5900)
From 64.33.187.84 - 3 packets to tcp(2967,5900)
From 64.33.225.215 - 2 packets to tcp(2967)
From 64.33.229.64 - 2 packets to tcp(2967)
From 64.33.229.216 - 1 packet to tcp(2967)
From 64.33.230.171 - 2 packets to tcp(2967)
From 64.33.231.14 - 1 packet to tcp(2967)
From 64.34.95.12 - 4 packets to tcp(1089)
From 64.34.165.235 - 1 packet to udp(1434)
From 64.34.165.236 - 1 packet to udp(1434)
From 64.34.197.201 - 15 packets to udp(38293)
From 64.34.197.202 - 3 packets to udp(1434)
From 64.34.197.219 - 25 packets to tcp(3313,4863,62849,2775,4972,11791,60710,2656,169 57,1955,27934)
From 64.34.197.228 - 22 packets to udp(6514)
From 64.34.197.234 - 8 packets to udp(1434)
From 64.34.197.250 - 1 packet to udp(1434)
From 64.34.197.254 - 16 packets to udp(1434,38293)
From 64.34.201.84 - 1 packet to udp(1434)
From 64.34.201.97 - 25 packets to udp(6514)
From 64.34.201.101 - 6 packets to udp(1434)
From 64.34.201.120 - 3 packets to udp(1434)
From 64.129.13.102 - 1 packet to tcp(2967)
From 64.134.30.31 - 1 packet to tcp(2967)
From 64.134.122.47 - 2 packets to tcp(2967)
From 64.136.161.106 - 1 packet to tcp(2968)
From 64.136.242.82 - 1 packet to tcp(2967)
From 64.179.109.150 - 1 packet to tcp(5900)
From 64.203.136.12 - 1 packet to tcp(2967)
From 65.36.71.108 - 1 packet to udp(1026)
From 65.44.37.189 - 1 packet to udp(1026)
From 65.49.25.54 - 1 packet to udp(1026)
From 65.54.233.133 - 1 packet to udp(1026)
From 65.68.253.124 - 1 packet to udp(1026)
From 65.70.184.185 - 1 packet to udp(1026)
From 65.71.81.190 - 1 packet to udp(1026)
From 65.83.209.68 - 1 packet to udp(1026)
From 65.98.119.228 - 1 packet to udp(1026)
From 65.119.65.150 - 1 packet to udp(1026)
From 65.119.145.58 - 1 packet to udp(1026)
From 65.123.174.232 - 1 packet to udp(1026)
From 65.124.253.135 - 1 packet to udp(1026)
From 65.127.37.3 - 1 packet to udp(1026)
From 65.131.191.144 - 1 packet to udp(1026)
From 65.135.133.184 - 1 packet to udp(1026)
From 65.161.157.239 - 1 packet to udp(1026)
From 65.166.44.113 - 1 packet to udp(1026)
From 65.170.230.128 - 1 packet to udp(1026)
From 65.182.252.221 - 1 packet to udp(1026)
From 65.254.254.50 - 6 packets to tcp(40311,41478,41546)
From 65.254.254.51 - 2 packets to tcp(41475)
From 65.254.254.52 - 2 packets to tcp(40324)
From 65.254.254.53 - 6 packets to tcp(40754,41865,42103)
From 65.254.254.54 - 2 packets to tcp(40334)
From 65.254.254.55 - 8 packets to tcp(41543,41825,41843,41859)
From 65.254.254.57 - 2 packets to tcp(41980)
From 66.29.45.248 - 2 packets to tcp(41921)
From 66.42.162.8 - 2 packets to icmp(0)
From 66.111.4.70 - 2 packets to tcp(40417)
From 66.111.4.71 - 8 packets to tcp(40415,40416,40442,41369)
From 66.249.83.27 - 1 packet to tcp(41573)
From 66.249.83.114 - 1 packet to tcp(42286)
From 69.26.178.192 - 3 packets to tcp(41398)
From 69.59.17.25 - 2 packets to tcp(40305)
From 69.158.251.247 - 2 packets to icmp(0)
From 70.98.54.37 - 2 packets to tcp(41971)
From 71.6.187.38 - 2 packets to tcp(41105)
From 71.223.174.3 - 2 packets to icmp(0)
From 90.240.3.228 - 1 packet to tcp(4899)
From 124.52.171.106 - 2 packets to icmp(0)
From 124.165.184.187 - 2 packets to icmp(0)
From 148.244.235.4 - 3 packets to icmp(0)
From 155.212.20.178 - 2 packets to tcp(32000)
From 172.21.1.35 - 1 packet to tcp(40636)
From 172.21.8.7 - 1 packet to tcp(41726)
From 172.21.12.26 - 1 packet to tcp(40054)
From 172.21.12.38 - 1 packet to tcp(40913)
From 172.21.134.13 - 1 packet to tcp(42309)
From 172.21.134.16 - 1 packet to tcp(41575)
From 172.21.134.17 - 1 packet to tcp(41481)
From 172.21.134.20 - 1 packet to tcp(42308)
From 172.21.134.38 - 1 packet to tcp(42302)
From 172.21.134.39 - 1 packet to tcp(41763)
From 172.21.135.10 - 1 packet to tcp(40764)
From 172.21.135.12 - 1 packet to tcp(40784)
From 172.21.135.13 - 1 packet to tcp(41595)
From 172.21.135.18 - 2 packets to tcp(40770,41574)
From 189.152.5.37 - 2 packets to icmp(0)
From 193.135.56.218 - 2 packets to tcp(41193)
From 195.244.198.197 - 2 packets to tcp(41319)
From 200.226.57.205 - 2 packets to icmp(0)
From 200.227.69.128 - 1 packet to icmp(0)
From 201.161.147.6 - 2 packets to icmp(0)
From 201.165.4.112 - 2 packets to icmp(0)
From 202.99.172.175 - 4 packets to udp(1028,1030,4081)
From 203.113.146.76 - 2 packets to icmp(0)
From 204.16.209.110 - 2 packets to udp(1026,1027)
From 204.16.209.120 - 1 packet to udp(1026)
From 204.16.209.130 - 1 packet to udp(1026)
From 204.16.209.140 - 5 packets to udp(1026,1027)
From 204.16.209.159 - 5 packets to udp(1026,1027)
From 204.16.210.20 - 78 packets to udp(1026,1027)
From 204.16.210.30 - 53 packets to udp(1026,1027)
From 204.16.210.42 - 167 packets to udp(1026,1027)
From 204.16.210.50 - 4 packets to udp(1026,1027)
From 204.16.210.60 - 3 packets to udp(1026,1027)
From 204.16.210.70 - 40 packets to udp(1026,1027)
From 204.16.210.130 - 9 packets to udp(1026,1027)
From 204.16.210.150 - 14 packets to udp(1026,1027)
From 204.16.210.202 - 58 packets to udp(1026,1027)
From 204.16.210.204 - 3 packets to udp(1026,1027)
From 204.16.210.207 - 62 packets to udp(1026,1027)
From 206.111.17.226 - 2 packets to tcp(2100)
From 207.190.204.212 - 3 packets to tcp(40756)
From 209.60.61.227 - 2 packets to tcp(5900)
From 209.213.12.167 - 2 packets to tcp(40777)
From 210.55.80.80 - 2 packets to icmp(0)
From 212.17.71.190 - 2 packets to icmp(0)
From 212.227.15.134 - 6 packets to tcp(41113,41219,41331)
From 212.227.15.169 - 4 packets to tcp(41074,41851)
From 212.227.15.186 - 4 packets to tcp(41191,41280)
From 213.166.4.219 - 2 packets to tcp(41238)
From 216.75.3.207 - 2 packets to tcp(40188)
From 216.130.85.3 - 2 packets to tcp(2967)
From 217.160.226.100 - 4 packets to tcp(41110,41253)
From 218.27.194.66 - 9 packets to udp(1026,1027)
From 218.201.150.21 - 2 packets to tcp(7212)
From 219.91.70.213 - 3 packets to tcp(1080)
From 221.124.21.109 - 2 packets to icmp(0)
From 222.170.90.104 - 1 packet to tcp(8080)
From 222.215.119.37 - 1 packet to udp(1032)
---------------------- Kernel End -------------------------
--------------------- Connections (secure-log) Begin ------------------------
**Unmatched Entries**
Cp-Wrap[9135]: Pushing "544 RESELLERSUSERS smyrc " to '/usr/local/cpanel/bin/reselleradmin' for UID: 544
Cp-Wrap[9135]: CP-Wrapper terminated without error
Cp-Wrap[9138]: Pushing "544 GETDOMAINIP smyrc.org " to '/usr/local/cpanel/bin/apacheadmin' for UID: 544
Cp-Wrap[9138]: CP-Wrapper terminated without error
Cp-Wrap[9141]: Pushing "544 LISTSUBDOMAINS 0 " to '/usr/local/cpanel/bin/apacheadmin' for UID: 544
Cp-Wrap[9141]: CP-Wrapper terminated without error
Cp-Wrap[9144]: Pushing "544 LISTMULTIPARKED 0 " to '/usr/local/cpanel/bin/apacheadmin' for UID: 544
Cp-Wrap[9144]: CP-Wrapper terminated without error
Cp-Wrap[9147]: Pushing "544 COUNTDBS" to '/usr/local/cpanel/bin/mysqladmin' for UID: 544
Cp-Wrap[9147]: CP-Wrapper terminated without error
Cp-Wrap[9150]: Pushing "544 LISTDBS" to '/usr/local/cpanel/bin/postgresadmin' for UID: 544
Cp-Wrap[9150]: CP-Wrapper terminated without error
Cp-Wrap[9154]: Pushing "544 GETDISK" to '/usr/local/cpanel/bin/mysqladmin' for UID: 544
Cp-Wrap[9154]: CP-Wrapper terminated without error
Cp-Wrap[10139]: Pushing "544 RESELLERSUSERS smyrc " to '/usr/local/cpanel/bin/reselleradmin' for UID: 544
Cp-Wrap[10139]: CP-Wrapper terminated without error
Cp-Wrap[10141]: Pushing "544 COUNTDBS" to '/usr/local/cpanel/bin/mysqladmin' for UID: 544
Cp-Wrap[10141]: CP-Wrapper terminated without error
Cp-Wrap[10144]: Pushing "544 LISTDBS" to '/usr/local/cpanel/bin/postgresadmin' for UID: 544
Cp-Wrap[10144]: CP-Wrapper terminated without error
Cp-Wrap[10147]: Pushing "544 GETDISK" to '/usr/local/cpanel/bin/mysqladmin' for UID: 544
Cp-Wrap[10147]: CP-Wrapper terminated without error
Cp-Wrap[10366]: Pushing "544 RESELLERSUSERS smyrc " to '/usr/local/cpanel/bin/reselleradmin' for UID: 544
Cp-Wrap[10366]: CP-Wrapper terminated without error
Cp-Wrap[10368]: Pushing "544 COUNTDBS" to '/usr/local/cpanel/bin/mysqladmin' for UID: 544 A:
It looks like someone with access to a botnet is scanning your machine for the available ports or a large number of infected machines out there are doing it without working together. I would be concerned about this but I wouldn't think it is an emergency. My first step would be to put a software firewall on the machine to only allow the ports you need. I may also look at the running process to see if any look "funny". You could also run root kit detection program if you are paranoid
A1:
Quote:
Originally Posted by egomzez
I installed csf firewall and security. But I am not sure how I specific to drop these.
That's a great start. Now you'll need to spend some time tweaking your settings for it. I think the setting you want is this one, near the top of the config page.
# Enable logging of dropped connections to blocked IP addresses in csf.denyor
# by lfd with temporary connection tracking blocks
DROP_IP_LOGGING
Set that to 0
As for ports, CSF is setup with default ports you'd need to have open for cpanel.
|