Results 1 to 9 of 9

Thread: Security question... how do the hackers get the usernames?

  1. #1
    Join Date
    Feb 2012
    Posts
    50

    Security question... how do the hackers get the usernames?

    My server hasn't been hacked but I do see hundreds of brute force attacks per day. I find it interesting that if I add a user (example: user123) today I see attacks on that username within 24 hours. All are from IP Addresses in the Asia Pacific Network and I have zero customers in that network.

    All attacks are via proftpd.

    How do they discover the usernames? I am the only user with elevated authority on the server and I am certain my account is secure.

    All users are added via DirectAdmin and have no special rights. There must be some kind of exploit that reveals usernames... this cannot be coincidence or random... all brute force attacks are valid usernames.

    I'm on CentOS 6 with all updates. DirectAdmin 1.40.3 with all the latest updates.

    Suggestions are welcomed.

    Thanks,
    -Joe

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    Hello,

    Did you try to set a very random user name such as RrWccGydL?

    The fact that you've got bruteforce attacks from Asia Pacific Network does not make big sense, or deal... as a hacker, who sniffs your traffic, might seat in your DC or your home/office network and have a botnet in Asia. That's Internet.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  3. #3
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    When I look at my brute force attack warnings I see they're always for well-known usernames (dictionary attack). Id strongly suggest you take Alex's advice and create a random username, not likely to be in a dictionary, and then do NOT send yourself an email notification that the user has been added (since emails travel the 'net in plaintext), or ever pass that username across the Internet for any reason or in any form. I believe you'll never see an attack on that username. Please let us know if I'm wrong.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  4. #4
    Join Date
    Feb 2012
    Posts
    50
    I can tell you with certainty it's not a dictionary attack. The brute force attacks are always on valid usernames. This is a new DirectAdmin server with only about 20 users. I have a Windows server right next to it and don't see the same kinds of attacks. If someone were sniffing packets on that subnet I'd think they'd hit both boxes. Email never leaves that subnet, but the Windows box hosts all the email.

    I'm still worried about this.

  5. #5
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    I guess you need then do a security audit of your server by yourself or hire somebody (Jeff for example). And here I can suggest only trying to use maldet, rkhunter and manual grepping.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  6. #6
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    Thank you, Alex, for your vote of confidence.

    @csgo: I would first take the steps I mentioned. Since no others have posted to this thread to respond I'm guessing that the problem isn't widespread, so I'd suggest it's more specific to your system than to any systemic problem with CentOS or DirectAdmin.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  7. #7
    Join Date
    Oct 2010
    Location
    Iceland
    Posts
    104
    Hey guys i am trying to get chkrootkit and rkhunter to function in cron but all i get is a server restart of some kind and i think it has to do with poorly setup cron.daily rkhunter.sh and chkrootkit.sh i only think that but if you would be so kind to tell me how you accomplished doing that and not getting blank emails ? and also maldet could you tell me how i can install that on my server

  8. #8
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    Hello,

    First of all what type of a server do you have there: dedicated or VPS/VDS?
    Secondly, did you read dmesg? /var/log/messages? In order to find possible clues?

    Note, very often faulty hardware might cause kernel panic and the following reboots.

    - How To install maldet
    http://www.directadmin.com/forum/sho...079#post216079

    p.s. What are the blank emails?
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  9. #9
    Join Date
    Oct 2010
    Location
    Iceland
    Posts
    104
    Thank you very much zEitEr

    I have no idea what could be causing the reboots ? i will have to invest in another new server soon

Similar Threads

  1. Security Question
    By mikelato in forum General Technical Discussion & Troubleshooting
    Replies: 16
    Last Post: 01-29-2010, 10:14 AM
  2. Question about security
    By rvn2k in forum General Technical Discussion & Troubleshooting
    Replies: 2
    Last Post: 04-01-2008, 08:28 AM
  3. Database Usernames
    By RadMan in forum Feedback & Feature Requests
    Replies: 0
    Last Post: 04-25-2007, 06:12 AM
  4. Internet Security Question
    By whistler in forum Off-Topic Discussion
    Replies: 3
    Last Post: 10-11-2006, 04:22 PM
  5. Replies: 2
    Last Post: 01-10-2004, 03:00 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •