Posted this last night to https://www.centos.org/modules/newbb/viewtopic.php?topic_id=25614&start=0#forumpost103783 as it’s not a Virtualmin issue per se, but not had a response yet.
During a routine look at my servers logs I noticed on April 1st I had 3 successful login attempts to root that wasn’t me (I’m the only person that has access to the server).
The IP address for each attempt is from Turkey, checking the logs for 78.160 gives:
Mar 15 10:59:41 servername### sshd[23980]: reverse mapping checking getaddrinfo for dsl78.160-27118.ttnet.net.tr failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 15 11:00:35 servername### sshd[24004]: reverse mapping checking getaddrinfo for dsl78.160-27118.ttnet.net.tr failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 15 11:00:58 servername### sshd[24004]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=78.160.105.238 user=root
Mar 15 11:01:00 servername### sshd[24004]: Failed password for root from 78.160.105.238 port 4603 ssh2
Mar 15 11:02:59 servername### sshd[24474]: reverse mapping checking getaddrinfo for dsl78.160-27118.ttnet.net.tr failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 15 11:02:59 servername### sshd[24474]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=78.160.105.238 user=root
Mar 15 11:03:02 servername### sshd[24474]: Failed password for root from 78.160.105.238 port 4624 ssh2
Mar 15 11:03:15 servername### sshd[24475]: Connection closed by 78.160.105.238
Mar 15 11:03:15 servername### sshd[24474]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=78.160.105.238 user=root
Apr 1 02:21:16 servername### sshd[8266]: reverse mapping checking getaddrinfo for dsl78.160-30835.ttnet.net.tr failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 1 02:25:35 servername### sshd[8407]: reverse mapping checking getaddrinfo for dsl78.160-30835.ttnet.net.tr failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 1 02:25:35 servername### sshd[8407]: Accepted password for root from 78.160.120.115 port 4090 ssh2
Apr 1 02:53:17 servername### sshd[9232]: reverse mapping checking getaddrinfo for dsl78.160-29042.ttnet.net.tr failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 1 02:53:17 servername### sshd[9232]: Accepted password for root from 78.160.113.114 port 1567 ssh2
Apr 1 03:11:54 servername### sshd[10282]: reverse mapping checking getaddrinfo for dsl78.160-31884.ttnet.net.tr failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 1 03:11:54 servername### sshd[10282]: Accepted password for root from 78.160.124.140 port 2538 ssh2
You can see the 3 successful attempts and related break in attempts which apparently worked!
I guess that means I have a security hole, but I don’t know enough about server security to track it down.
Dedicated server runs Centos 5.4 and Virtualmin 3.77 GPL. I keep the server regularly up to date via Virtualmins built in upgrade facility.
I regularly change the root password, last time was early Feb (and just now) and it’s random with special characters (no way it would be guessed).
I’ve only just discovered this problem and nothing jumps out as changed on the server. Ran chkrootkit and don’t see anything that jumps out.
Recently had my FTP password acquired I believe through Filezilla storing the passwords in a plain text file (no longer do that!) and I was running an old version of Adobe which can apparently give access via an Internet Explorer plugin. Although a dozen of my sites were compromised it was easy to fix (a pain, but easy) and as they didn’t have root access there was nothing changed on the server per se (uploaded various Trojans and malicious code to the public folder of various domains that basically redirected my sites traffic). To be on the safe side, reinstalled every domain from scratch with new passwords but as there was no root access believed it was secure (I realise a server isn’t secure from a skilled hacker).
This does not appear to be the same sort of thing.
Looking for advice on what’s happened and what to do about it?
Thanks.
David