Need help !

Nikitia

New member
Joined
Apr 17, 2012
Messages
5
Hello,

I need help by this one. I had to restart the .httpd over and over again for the last 24 Hours !

30049]: Failed password for root from 60.173.26.187 port 1249 ssh2
Jan 7 12:11:32 srv1 sshd[30050]: Received disconnect from 60.173.26.187: 11: Normal Shutdown, Thank you for playing
Jan 7 12:11:36 srv1 sshd[30056]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.173.26.187 user=root
Jan 7 12:11:39 srv1 sshd[30056]: Failed password for root from 60.173.26.187 port 3779 ssh2
Jan 7 12:11:39 srv1 sshd[30057]: Received disconnect from 60.173.26.187: 11: Normal Shutdown, Thank you for playing
Jan 7 12:11:44 srv1 sshd[30058]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.173.26.187 user=root
Jan 7 12:11:47 srv1 sshd[30058]: Failed password for root from 60.173.26.187 port 4458 ssh2
Jan 7 12:11:48 srv1 sshd[30059]: Received disconnect from 60.173.26.187: 11: Normal Shutdown, Thank you for playing
Jan 7 12:11:56 srv1 sshd[30061]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.173.26.187 user=root
Jan 7 12:11:58 srv1 sshd[30061]: Failed password for root from 60.173.26.187 port 5432 ssh2
Jan 7 12:11:58 srv1 sshd[30062]: Received disconnect from 60.173.26.187: 11: Normal Shutdown, Thank you for playing
Jan 7 12:12:01 srv1 sshd[30063]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.173.26.187 user=root
Jan 7 12:12:03 srv1 sshd[30063]: Failed password for root from 60.173.26.187 port 6278 ssh2
Jan 7 12:12:04 srv1 sshd[30064]: Received disconnect from 60.173.26.187: 11: Normal Shutdown, Thank you for playing
Jan 7 12:12:07 srv1 sshd[30095]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.173.26.187 user=root
Jan 7 12:12:09 srv1 sshd[30095]: Failed password for root from 60.173.26.187 port 6852 ssh2
Jan 7 12:12:10 srv1 sshd[30096]: Received disconnect from 60.173.26.187: 11: Normal Shutdown, Thank you for playing
Jan 7 12:12:13 srv1 sshd[30100]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.173.26.187 user=root
Jan 7 12:12:15 srv1 sshd[30100]: Failed password for root from 60.173.26.187 port 7425 ssh2
Jan 7 12:12:16 srv1 sshd[30101]: Received disconnect from 60.173.26.187: 11: Normal Shutdown, Thank you for playing
Jan 7 12:12:19 srv1 sshd[30102]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.173.26.187 user=root
Jan 7 12:12:21 srv1 sshd[30102]: Failed password for root from 60.173.26.187 port 8088 ssh2
Jan 7 12:12:29 srv1 sshd[30103]: Received disconnect from 60.173.26.187: 11: Normal Shutdown, Thank you for playing
Jan 7 12:12:36 srv1 sshd[30108]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.173.26.187 user=root
Jan 7 12:12:38 srv1 sshd[30108]: Failed password for root from 60.173.26.187 port 9418 ssh2
Jan 7 12:12:39 srv1 sshd[30109]: Received disconnect from 60.173.26.187: 11: Normal Shutdown, Thank you for playing
Jan 7 12:13:03 srv1 sshd[30113]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.173.26.187 user=root
Jan 7 12:13:04 srv1 sshd[30113]: Failed password for root from 60.173.26.187 port 10398 ssh2
Jan 7 12:13:04 srv1 sshd[30114]: Received disconnect from 60.173.26.187: 11: Normal Shutdown, Thank you for playing
Jan 7 12:13:15 srv1 sshd[30131]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.173.26.187 user=root
Jan 7 12:13:17 srv1 sshd[30131]: Failed password for root from 60.173.26.187 port 12994 ssh2
Jan 7 12:13:17 srv1 sshd[30132]: Received disconnect from 60.173.26.187: 11: Normal Shutdown, Thank you for playing
Jan 7 12:13:20 srv1 sshd[30140]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.173.26.187 user=root
Jan 7 12:13:22 srv1 sshd[30140]: Failed password for root from 60.173.26.187 port 14359 ssh2
Jan 7 12:13:26 srv1 sshd[30141]: Received disconnect from 60.173.26.187: 11: Normal Shutdown, Thank you for playing
Jan 7 12:13:34 srv1 sshd[30145]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.173.26.187 user=root
Jan 7 12:13:36 srv1 sshd[30145]: Failed password for root from 60.173.26.187 port 15296 ssh2
Jan 7 12:13:36 srv1 sshd[30146]: Received disconnect from 60.173.26.187: 11: Normal Shutdown, Thank you for playing
Jan 7 12:13:40 srv1 sshd[30147]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.173.26.187 user=root
Jan 7 12:13:41 srv1 sshd[30147]: Failed password for root from 60.173.26.187 port 16380 ssh2
Jan 7 12:13:43 srv1 sshd[30148]: Received disconnect from 60.173.26.187: 11: Normal Shutdown, Thank you for playing
Jan 7 12:13:49 srv1 sshd[30150]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.173.26.187 user=root
Jan 7 12:13:51 srv1 sshd[30150]: Failed password for root from 60.173.26.187 port 16989 ssh2
Jan 7 12:13:51 srv1 sshd[30151]: Received disconnect from 60.173.26.187: 11: Normal Shutdown, Thank you for playing
Jan 7 12:13:58 srv1 sshd[30152]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.173.26.187 user=root
Jan 7 12:14:00 srv1 sshd[30152]: Failed password for root from 60.173.26.187 port 17812 ssh2
Jan 7 12:14:01 srv1 sshd[30153]: Received disconnect from 60.173.26.187: 11: Normal Shutdown, Thank you for playing
Jan 7 12:14:05 srv1 sshd[30185]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.173.26.187 user=root
Jan 7 12:14:06 srv1 sshd[30185]: Failed password for root from 60.173.26.187 port 18893 ssh2
Jan 7 12:14:06 srv1 sshd[30186]: Received disconnect from 60.173.26.187: 11: Normal Shutdown, Thank you for playing


It also seems that there are a few perl processes acting as a Apache Webserver and there are
2 suspicious users with UID 0 aanwezig in the password file.

Can someone direct me to a good site admin? I’m willing to pay for it !(it’s an Adult Site)
Thanks,
Sonia

Please email me at : mibspn@gmail.com
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
Hi,

yes, probably a website (or the whole server) has been compromised and some malicius process are started pretending to be a different service.

Me, Zeiter, nobaloney, smtalk does offer sysadmin services, feel free to contact me or one of the others by PM or e-mail for a quote.

Regards
 

r3chn3r

Verified User
Joined
Jan 13, 2013
Messages
104
wow!

I'd be interested in finding out how this was possible.
 
Top