Identificar ataques

Imagen de CarlosMora
0 puntos

Hola,

Hace +/- 1 mes junté algunos trastos viejos y me armé un servidorcito que uso para mi propio ftp, mldonkey y para aprender un poco del tema linux, con Ubuntu server 6.10. El router tiene redirigidos algunos puertos a ese servidor, a saber:

mldonkey 4080 4080 TCP 4080 4080 192.168.1.100
Web Server (HTTP) 80 80 TCP 80 80 192.168.1.100
FTP Server 21 21 TCP 21 21 192.168.1.100
Secure Shell Server (SSH) 22 22 TCP 22 22 192.168.1.100
BitTorrent 6881 6882 TCP 6881 6882 192.168.1.100

instalé ddclient para que me mantenga algunos dominios en la ip dinámica en zoneedit.

El tema es que mirando los logs de apache encontré algunas entradas extrañas, tales como:

218.150.109.102 - - [21/Feb/2007:03:55:33 +0100] "GET http://p2.mumu.pp.ru/index.htm HTTP/1.0" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
211.100.33.61 - - [15/Feb/2007:19:55:06 +0100] "GET http://check.87.218.186.110.v.80.pdx8.super.proxy.scanner.ii.9966.org/Pr... HTTP/1.1" 404 349 "-" "-"

en el access.log del apache, y no se bien de que se tratan.
Tambien las siguientes entradas:

Feb 20 14:03:31 pandora sshd[10554]: Did not receive identification string from 61.19.32.237
Feb 20 14:06:12 pandora sshd[10555]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.19.32.237 user=root
Feb 20 14:06:14 pandora sshd[10555]: Failed password for root from 61.19.32.237 port 52422 ssh2
Feb 20 14:06:17 pandora sshd[10557]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.19.32.237 user=root
Feb 20 14:06:18 pandora sshd[10557]: Failed password for root from 61.19.32.237 port 48127 ssh2
Feb 20 14:06:21 pandora sshd[10559]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.19.32.237 user=root
.......
Feb 20 14:08:54 pandora sshd[10615]: Failed password for root from 61.19.32.237 port 51347 ssh2
Feb 20 14:08:57 pandora sshd[10617]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.19.32.237 user=root
Feb 20 14:09:00 pandora sshd[10617]: Failed password for root from 61.19.32.237 port 53273 ssh2
Feb 20 14:09:01 pandora CRON[10621]: (pam_unix) session opened for user root by (uid=0)
Feb 20 14:09:02 pandora CRON[10621]: (pam_unix) session closed for user root
Feb 20 14:09:03 pandora sshd[10619]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.19.32.237 user=root
Feb 20 14:09:05 pandora sshd[10619]: Failed password for root from 61.19.32.237 port 54752 ssh2
Feb 20 14:09:08 pandora sshd[10628]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.19.32.237 user=root

en el auth.log, lo que me parece que son intentos de ssh con root como usuario. Hay otras:

Feb 24 19:36:56 pandora sshd[7855]: (pam_unix) check pass; user unknown
Feb 24 19:36:56 pandora sshd[7855]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.182.211.181
Feb 24 19:36:58 pandora sshd[7855]: Failed password for invalid user test from 61.182.211.181 port 38382 ssh2
Feb 24 19:37:02 pandora sshd[7857]: Invalid user guest from 61.182.211.181
Feb 24 19:37:02 pandora sshd[7857]: (pam_unix) check pass; user unknown
Feb 24 19:37:02 pandora sshd[7857]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.182.211.181
Feb 24 19:37:04 pandora sshd[7857]: Failed password for invalid user guest from 61.182.211.181 port 38627 ssh2
Feb 24 19:37:08 pandora sshd[7859]: Invalid user admin from 61.182.211.181

con otros usuarios.

He instalado y ejecutado chkrootkit, y solo acusa bindshell infected port 4000 pero segun la documentación es un falso positivo normal si tengo instalado mldonkey.

¿Como saber si hay algo de que preocuparse?

Saludos,

Carlos

Imagen de CarlosMora
+1
0
-1

derisenibadyautder?

+1
0
-1