Server with "infected" ip address? - GoFuckYourself.com

EukerVoorn · 09-24-2011, 07:04 PM

Got a new dedicated server, with cPanel and cPHulk Brute Force Protection. Immediately after the server was connected to the web at the hosting provider I started getting these messages at least 10 times a day:

Large Number of Failed Login Attempts from IP *

Does this mean they gave the server an IP address that has been used for a long time before and apparently is on some list of easy hackable servers or proxies or does it mean that these hackers are just randomly trying to hack into servers?

I have another server with another hosting provider and not getting any cPHulk warnings from there.

The problem is that during these attacks I can't login on my server myself and I can't whitelist my ip in cPHulk because I don't have a static ip or even ip range.

drmadcat · 09-24-2011, 07:20 PM

dont use host gator

EddyTheDog · 09-24-2011, 07:23 PM

I am sure you will get much better ideas, but here is my 2cents.

Buy a cheap VPN - I had to do it the other day and hidemyass.com worked ok - That should at least give an IP range so you can whitelist it and see what the fuck is happening...

Or, and I think this best, ask your host to sort it out or at least allocate a new IP.

BIGTYMER · 09-24-2011, 07:28 PM

Don't worry about it. They are mostly just bots searching the web for easy targets. I get these messages almost daily.

BIGTYMER · 09-24-2011, 07:32 PM

Just saw the last part of your message. I haven't been locked out so I'm not sure what you should do.

TheSquealer · 09-24-2011, 07:37 PM

You're Paul Markhams new friend. You should know by now that only he has the correct answers to the difficult questions.

raymor · 09-24-2011, 07:47 PM

Servers at large provides that sell cookie cutter servers to DIY webmasters are common targets because the bad guys know that IP range has tons of servers that lack a qualified sysadmin. They know that the typical webmaster lacks the skills and motivation to do even significant hardening. New severs are particularly attractive because the default configuration is known and often includes weaknesses like default or empty passwords, php running suexec, etc.

Cphulk monitors several different daemons. Which are you getting a lot of notices for? Turn off any archives that you aren't using. For example, turn off pop3 if you aren't using your server to receive mail.

For services other than smtp and http, you can switch them to use a port other than the default and that will greatly reduce brute force attacks.

BIGTYMER · 09-24-2011, 09:00 PM

Yep. When I changed my SSH port I saw a 95% reduction.

AdultKing · 09-24-2011, 11:00 PM

automated break in attempts happen all the time, just turn email notifications off.

leg4 · 09-25-2011, 01:24 AM

Msg me privately....My lil Nephew is a level4 Admin at GatorHoster.

sandman! · 09-25-2011, 01:29 AM

lolololz

EukerVoorn · 09-26-2011, 02:59 AM

Quote:

Originally Posted by AdultKing

automated break in attempts happen all the time, just turn email notifications off.

Like I said I also have a dedicated server at another location and not getting notifications for that one. I just checked, cPHulkd notifications is set on high priority.

What Raymor writes makes sense though, this is a self managed dedicated server in the biggest datacenter in Holland so it's part of a huge range of ip addresses connected to servers.

I already planned to have a sys admin finetune and secure my servers, he'll start this week, after that I will turn notifications off and turn notification of succesful log-ins on, just in case, and I'll change the root password from 12345 into something more difficult

Thanks for the help dudes, it's great to be on this site.

09-24-2011, 07:04 PM	#1
EukerVoorn So Fucking Banned Industry Role: Join Date: Aug 2011 Location: Les Alpes, France Posts: 1,423	Server with "infected" ip address? Got a new dedicated server, with cPanel and cPHulk Brute Force Protection. Immediately after the server was connected to the web at the hosting provider I started getting these messages at least 10 times a day: Large Number of Failed Login Attempts from IP * Does this mean they gave the server an IP address that has been used for a long time before and apparently is on some list of easy hackable servers or proxies or does it mean that these hackers are just randomly trying to hack into servers? I have another server with another hosting provider and not getting any cPHulk warnings from there. The problem is that during these attacks I can't login on my server myself and I can't whitelist my ip in cPHulk because I don't have a static ip or even ip range.

09-24-2011, 07:20 PM	#2
drmadcat Confirmed User Industry Role: Join Date: Jun 2011 Location: in the back room wanking Posts: 2,024	dont use host gator __________________ asiamoviepass.com

09-24-2011, 07:37 PM	#6
TheSquealer BANNED Industry Role: Join Date: Oct 2004 Location: In Your Head Posts: 22,805	You're Paul Markhams new friend. You should know by now that only he has the correct answers to the difficult questions. __________________ If you don't like that Elon Musk bought twitter,... just build your own and stop crying about it.

09-24-2011, 07:47 PM	#7
raymor Confirmed User Join Date: Oct 2002 Posts: 3,745	Servers at large provides that sell cookie cutter servers to DIY webmasters are common targets because the bad guys know that IP range has tons of servers that lack a qualified sysadmin. They know that the typical webmaster lacks the skills and motivation to do even significant hardening. New severs are particularly attractive because the default configuration is known and often includes weaknesses like default or empty passwords, php running suexec, etc. Cphulk monitors several different daemons. Which are you getting a lot of notices for? Turn off any archives that you aren't using. For example, turn off pop3 if you aren't using your server to receive mail. For services other than smtp and http, you can switch them to use a port other than the default and that will greatly reduce brute force attacks. Last edited by raymor; 09-24-2011 at 07:48 PM..

09-25-2011, 01:24 AM	#10
leg4 Confirmed User Join Date: May 2003 Location: Texas Posts: 4,429	Msg me privately....My lil Nephew is a level4 Admin at GatorHoster. __________________ >>> Contact me here email me here

09-24-2011, 07:23 PM	#3
EddyTheDog Just Doing My Own Thing Industry Role: Join Date: Jan 2011 Location: London, Spain, New Zealand, GFY - Not Croydon... Posts: 24,769	I am sure you will get much better ideas, but here is my 2cents. Buy a cheap VPN - I had to do it the other day and hidemyass.com worked ok - That should at least give an IP range so you can whitelist it and see what the fuck is happening... Or, and I think this best, ask your host to sort it out or at least allocate a new IP.

09-24-2011, 07:28 PM	#4
BIGTYMER Junior Achiever Industry Role: Join Date: Nov 2004 Location: Walled Garden Posts: 17,066	Don't worry about it. They are mostly just bots searching the web for easy targets. I get these messages almost daily.

09-24-2011, 07:32 PM	#5
BIGTYMER Junior Achiever Industry Role: Join Date: Nov 2004 Location: Walled Garden Posts: 17,066	Just saw the last part of your message. I haven't been locked out so I'm not sure what you should do.

09-24-2011, 09:00 PM	#8
BIGTYMER Junior Achiever Industry Role: Join Date: Nov 2004 Location: Walled Garden Posts: 17,066	Yep. When I changed my SSH port I saw a 95% reduction.

09-24-2011, 11:00 PM	#9
AdultKing Raise Your Weapon Industry Role: Join Date: Jun 2003 Location: Outback Australia Posts: 15,602	automated break in attempts happen all the time, just turn email notifications off.

09-25-2011, 01:29 AM	#11
sandman! Icq: 14420613 Industry Role: Join Date: Mar 2001 Location: chicago Posts: 15,410	lolololz __________________ Need WebHosting ? Email me for some great deals [email protected]