itu termasuk jenis brute force. mencoba segala macam kemungkinan untuk masuk ke sistem anda. dan lagi, dia selalu mengubah2 alamat IP-nya. sepertinya hasilnya reject semua ya? untuk memastikan, coba "lastlog" dari console, dan coba baca kembali log2 yang lain (syslog, messages, secure, httpd error_log, httpd access_log). biasanya, kalau itu cuma brute force (dan si penyusup ga berhasil masuk) anda akan beruntung karena akan mendapatkan IP si penyerang. syukur2 MAC addressnya kecatet (tapi ini jarang euy..)
selamat nge-scan...:) salam, denny > Hi all, > > Bagaimana cara mengatasi serangan spt log dari Logwatch dibawah ini ? > Apakah mail server kami sudah disusupi ? > Mohon pencerahannya. > Thanks. > > -eum- > > Spec : Redhat 9.0+Qmail+Vpopmail+Qmailadmin+Sqwebmail+Apache 2.0 > > ============================= > > ################### LogWatch 4.3.1 (01/13/03) #################### > Processing Initiated: Fri Jun 16 04:02:01 2006 > Date Range Processed: yesterday > Detail Level of Output: 0 > Logfiles for Host: xxx.xxx.xxx.xxx > ################################################################ > > --------------------- pam_unix Begin ------------------------ > > > sshd: > Authentication Failures: > root (email.bvig.com.tw ): 1 Time(s) > nobody (210.0.215.71 ): 1 Time(s) > mailman (210.0.215.71 ): 1 Time(s) > rpm (210.0.215.71 ): 1 Time(s) > ftp (210.0.215.71 ): 1 Time(s) > games (210.0.215.71 ): 1 Time(s) > halt (210.0.215.71 ): 1 Time(s) > sshd (210.0.215.71 ): 1 Time(s) > operator (210.0.215.71 ): 1 Time(s) > root (dsl-kpogw7-feb8f900-35.dhcp.inet.fi ): 1 Time(s) > root (210.0.215.71 ): 15 Time(s) > lp (210.0.215.71 ): 1 Time(s) > amanda (210.0.215.71 ): 1 Time(s) > bin (212.116.148.154 ): 2 Time(s) > mail (210.0.215.71 ): 1 Time(s) > apache (212.116.148.154 ): 3 Time(s) > shutdown (210.0.215.71 ): 1 Time(s) > named (210.0.215.71 ): 1 Time(s) > daemon (210.0.215.71 ): 1 Time(s) > adm (212.116.148.154 ): 6 Time(s) > root (211.242.212.100 ): 3 Time(s) > alias (210.0.215.71 ): 1 Time(s) > root (218.14.146.205 ): 1 Time(s) > postgres (210.0.215.71 ): 1 Time(s) > apache (210.0.215.71 ): 1 Time(s) > alias (61.131.89.97 ): 1 Time(s) > alias (212.116.148.154 ): 2 Time(s) > mysql (dsl-kpogw7-feb8f900-35.dhcp.inet.fi ): 1 Time(s) > adm (210.0.215.71 ): 1 Time(s) > root (cm28113.red.mundo-r.com ): 1 Time(s) > sync (210.0.215.71 ): 1 Time(s) > root (211.144.32.119 ): 1 Time(s) > mysql (210.0.215.71 ): 1 Time(s) > news (210.0.215.71 ): 1 Time(s) > bin (210.0.215.71 ): 1 Time(s) > alias (evr91-2-82-233-255-16.fbx.proxad.net ): 1 Time(s) > daemon (212.116.148.154 ): 2 Time(s) > uucp (210.0.215.71 ): 1 Time(s) > smmsp (210.0.215.71 ): 1 Time(s) > > > ---------------------- pam_unix End ------------------------- > > > --------------------- SSHD Begin ------------------------ > > > Failed logins from these: > adm/password from 210.0.215.71: 1 Time(s) > adm/password from 212.116.148.154: 6 Time(s) > alias/password from 210.0.215.71: 1 Time(s) > alias/password from 212.116.148.154: 2 Time(s) > alias/password from 61.131.89.97: 1 Time(s) > alias/password from 82.233.255.16: 1 Time(s) > amanda/password from 210.0.215.71: 1 Time(s) > apache/password from 210.0.215.71: 1 Time(s) > apache/password from 212.116.148.154: 3 Time(s) > bin/password from 210.0.215.71: 1 Time(s) > bin/password from 212.116.148.154: 2 Time(s) > daemon/password from 210.0.215.71: 1 Time(s) > daemon/password from 212.116.148.154: 2 Time(s) > ftp/password from 210.0.215.71: 1 Time(s) > games/password from 210.0.215.71: 1 Time(s) > halt/password from 210.0.215.71: 1 Time(s) > lp/password from 210.0.215.71: 1 Time(s) > mail/password from 210.0.215.71: 1 Time(s) > mailman/password from 210.0.215.71: 1 Time(s) > mysql/password from 210.0.215.71: 1 Time(s) > mysql/password from 84.249.184.35: 1 Time(s) > named/password from 210.0.215.71: 1 Time(s) > news/password from 210.0.215.71: 1 Time(s) > nobody/password from 210.0.215.71: 1 Time(s) > operator/password from 210.0.215.71: 1 Time(s) > postgres/password from 210.0.215.71: 1 Time(s) > root/password from 210.0.215.71: 15 Time(s) > root/password from 211.144.32.119: 1 Time(s) > root/password from 211.242.212.100: 3 Time(s) > root/password from 213.60.28.113: 1 Time(s) > root/password from 218.14.146.205: 1 Time(s) > root/password from 220.132.120.231: 1 Time(s) > root/password from 84.249.184.35: 1 Time(s) > rpm/password from 210.0.215.71: 1 Time(s) > shutdown/password from 210.0.215.71: 1 Time(s) > smmsp/password from 210.0.215.71: 1 Time(s) > sshd/password from 210.0.215.71: 1 Time(s) > sync/password from 210.0.215.71: 1 Time(s) > uucp/password from 210.0.215.71: 1 Time(s) > > > > **Unmatched Entries** > > Illegal user staff from 210.0.215.71 > Illegal user sales from 210.0.215.71 > Illegal user recruit from 210.0.215.71 > Illegal user office from 210.0.215.71 > Illegal user samba from 210.0.215.71 > Illegal user tomcat from 210.0.215.71 > Illegal user webadmin from 210.0.215.71 > Illegal user spam from 210.0.215.71 > Illegal user virus from 210.0.215.71 > Illegal user cyrus from 210.0.215.71 > Illegal user oracle from 210.0.215.71 > Illegal user michael from 210.0.215.71 > Illegal user test from 210.0.215.71 > Illegal user webmaster from 210.0.215.71 Illegal user postmaster from > 210.0.215.71 Illegal user postfix from 210.0.215.71 Illegal user paul > from 210.0.215.71 Illegal user guest from 210.0.215.71 Illegal user > admin from 210.0.215.71 Illegal user linux from 210.0.215.71 Illegal > user user from 210.0.215.71 Illegal user david from 210.0.215.71 > Illegal user web from 210.0.215.71 Illegal user pgsql from > 210.0.215.71 Illegal user info from 210.0.215.71 Illegal user tony > from 210.0.215.71 Illegal user core from 210.0.215.71 Illegal user > newsletter from 210.0.215.71 Illegal user visitor from 210.0.215.71 > Illegal user ftpuser from 210.0.215.71 Illegal user username from > 210.0.215.71 Illegal user administrator from 210.0.215.71 Illegal user > library from 210.0.215.71 Illegal user test from 210.0.215.71 Illegal > user admin from 210.0.215.71 Illegal user guest from 210.0.215.71 > Illegal user master from 210.0.215.71 Illegal user admin from > 210.0.215.71 Illegal user admin from 210.0.215.71 Illegal user admin > from 210.0.215.71 Illegal user admin from 210.0.215.71 Illegal user > test from 210.0.215.71 Illegal user test from 210.0.215.71 Illegal > user webmaster from 210.0.215.71 Illegal user username from > 210.0.215.71 Illegal user user from 210.0.215.71 Illegal user admin > from 210.0.215.71 Illegal user test from 210.0.215.71 Illegal user > danny from 210.0.215.71 Illegal user alex from 210.0.215.71 Illegal > user brett from 210.0.215.71 Illegal user mike from 210.0.215.71 > Illegal user alan from 210.0.215.71 Illegal user data from > 210.0.215.71 Illegal user www-data from 210.0.215.71 Illegal user http > from 210.0.215.71 Illegal user httpd from 210.0.215.71 Illegal user > pop from 210.0.215.71 Illegal user backup from 210.0.215.71 Illegal > user info from 210.0.215.71 Illegal user shop from 210.0.215.71 > Illegal user sales from 210.0.215.71 Illegal user web from > 210.0.215.71 Illegal user www from 210.0.215.71 Illegal user wwwrun > from 210.0.215.71 Illegal user adam from 210.0.215.71 Illegal user > stephen from 210.0.215.71 Illegal user richard from 210.0.215.71 > Illegal user george from 210.0.215.71 Illegal user john from > 210.0.215.71 Illegal user angel from 210.0.215.71 Illegal user pgsql > from 210.0.215.71 Illegal user ident from 210.0.215.71 Illegal user > webpop from 210.0.215.71 Illegal user susan from 210.0.215.71 Illegal > user sunny from 210.0.215.71 Illegal user steven from 210.0.215.71 > Illegal user ssh from 210.0.215.71 Illegal user search from > 210.0.215.71 Illegal user sara from 210.0.215.71 Illegal user robert > from 210.0.215.71 Illegal user richard from 210.0.215.71 Illegal user > party from 210.0.215.71 Illegal user sgi from 210.0.215.71 Illegal > user users from 210.0.215.71 Illegal user admins from 210.0.215.71 > Illegal user admins from 210.0.215.71 Illegal user dean from > 210.0.215.71 Illegal user unknown from 210.0.215.71 Illegal user > securityagent from 210.0.215.71 Illegal user tokend from 210.0.215.71 > Illegal user windowserver from 210.0.215.71 Illegal user appowner from > 210.0.215.71 Illegal user xgridagent from 210.0.215.71 Illegal user > agent from 210.0.215.71 Illegal user xgridcontroller from 210.0.215.71 > Illegal user jabber from 210.0.215.71 Illegal user amavisd from > 210.0.215.71 Illegal user clamav from 210.0.215.71 Illegal user > appserver from 210.0.215.71 Illegal user cyrusimap from 210.0.215.71 > Illegal user qtss from 210.0.215.71 Illegal user eppc from > 210.0.215.71 Illegal user telnetd from 210.0.215.71 Illegal user > identd from 210.0.215.71 Illegal user gnats from 210.0.215.71 Illegal > user staff from 82.233.255.16 Illegal user sales from 82.233.255.16 > Illegal user recruit from 82.233.255.16 Illegal user office from > 82.233.255.16 Illegal user samba from 82.233.255.16 Illegal user > tomcat from 82.233.255.16 Illegal user webadmin from 82.233.255.16 > Illegal user spam from 82.233.255.16 Illegal user virus from > 82.233.255.16 Illegal user test from 211.242.212.100 Illegal user > guest from 211.242.212.100 Illegal user admin from 211.242.212.100 > Illegal user admin from 211.242.212.100 Illegal user user from > 211.242.212.100 Illegal user test from 211.242.212.100 Illegal user > staff from 61.131.89.97 Illegal user sales from 61.131.89.97 Illegal > user recruit from 61.131.89.97 Illegal user admin from 84.249.184.35 > Illegal user test from 84.249.184.35 Illegal user guest from > 84.249.184.35 Illegal user webmaster from 84.249.184.35 Illegal user > test from 212.116.148.154 Illegal user test from 212.116.148.154 > Illegal user test from 212.116.148.154 Illegal user test from > 212.116.148.154 Illegal user test from 212.116.148.154 Illegal user > test from 212.116.148.154 Illegal user test from 212.116.148.154 > Illegal user test from 212.116.148.154 Illegal user test from > 212.116.148.154 Illegal user test from 212.116.148.154 Illegal user > test from 212.116.148.154 Illegal user test from 212.116.148.154 > Illegal user test from 212.116.148.154 Illegal user test from > 212.116.148.154 Illegal user test from 212.116.148.154 Illegal user > tester from 212.116.148.154 Illegal user tester from 212.116.148.154 > Illegal user tester from 212.116.148.154 Illegal user tester from > 212.116.148.154 Illegal user tester from 212.116.148.154 Illegal user > tester from 212.116.148.154 Illegal user tester from 212.116.148.154 > Illegal user tester from 212.116.148.154 Illegal user tester from > 212.116.148.154 Illegal user tester from 212.116.148.154 Illegal user > tester from 212.116.148.154 Illegal user tester from 212.116.148.154 > Illegal user tester from 212.116.148.154 Illegal user tester from > 212.116.148.154 Illegal user tester from 212.116.148.154 Illegal user > testing from 212.116.148.154 Illegal user testing from 212.116.148.154 > Illegal user testing from 212.116.148.154 Illegal user testing from > 212.116.148.154 Illegal user testing from 212.116.148.154 Illegal user > testing from 212.116.148.154 Illegal user testing from 212.116.148.154 > Illegal user testing from 212.116.148.154 Illegal user testing from > 212.116.148.154 Illegal user testing from 212.116.148.154 Illegal user > testing from 212.116.148.154 Illegal user testing from 212.116.148.154 > Illegal user testing from 212.116.148.154 Illegal user testing from > 212.116.148.154 Illegal user testing from 212.116.148.154 Illegal user > testbox from 212.116.148.154 Illegal user guest from 212.116.148.154 > Illegal user guest from 212.116.148.154 Illegal user guest from > 212.116.148.154 Illegal user guest from 212.116.148.154 Illegal user > guest from 212.116.148.154 Illegal user guest from 212.116.148.154 > Illegal user guest from 212.116.148.154 Illegal user guest from > 212.116.148.154 Illegal user guest from 212.116.148.154 Illegal user > guest from 212.116.148.154 Illegal user guest from 212.116.148.154 > Illegal user guest from 212.116.148.154 Illegal user guest from > 212.116.148.154 Illegal user guest from 212.116.148.154 Illegal user > account from 212.116.148.154 Illegal user account from 212.116.148.154 > Illegal user admissions from 212.116.148.154 Illegal user admissions > from 212.116.148.154 Illegal user admin from 212.116.148.154 Illegal > user admin from 212.116.148.154 Illegal user admin from > 212.116.148.154 Illegal user admin from 212.116.148.154 Illegal user > admin from 212.116.148.154 Illegal user admin from 212.116.148.154 > Illegal user admin from 212.116.148.154 Illegal user admin from > 212.116.148.154 Illegal user admin from 212.116.148.154 Illegal user > admin from 212.116.148.154 Illegal user admin from 212.116.148.154 > Illegal user admin from 212.116.148.154 Illegal user admin from > 212.116.148.154 Illegal user admin from 212.116.148.154 Illegal user > admin from 212.116.148.154 Illegal user admin from 212.116.148.154 > Illegal user administrator from 212.116.148.154 Illegal user > administrator from 212.116.148.154 Illegal user administrator from > 212.116.148.154 Illegal user administrator from 212.116.148.154 > Illegal user administrator from 212.116.148.154 Illegal user alumni > from 212.116.148.154 Illegal user alumni from 212.116.148.154 Illegal > user apache2 from 212.116.148.154 Illegal user apache2 from > 212.116.148.154 Illegal user apache2 from 212.116.148.154 Illegal user > apache2 from 212.116.148.154 Illegal user backup from 212.116.148.154 > Illegal user backup from 212.116.148.154 Illegal user bind from > 212.116.148.154 Illegal user bind from 212.116.148.154 Illegal user > build from 212.116.148.154 Illegal user build from 212.116.148.154 > Illegal user canna from 212.116.148.154 Illegal user canna from > 212.116.148.154 Illegal user clamav from 212.116.148.154 Illegal user > clamav from 212.116.148.154 Illegal user class from 212.116.148.154 > Illegal user class from 212.116.148.154 Illegal user class2004 from > 212.116.148.154 Illegal user class2005 from 212.116.148.154 Illegal > user cpanel from 212.116.148.154 Illegal user cpanel from > 212.116.148.154 Illegal user cvs from 212.116.148.154 Illegal user cvs > from 212.116.148.154 Illegal user cvsuser from 212.116.148.154 Illegal > user cvsuser from 212.116.148.154 Illegal user dbadmin from > 212.116.148.154 > > ---------------------- SSHD End ------------------------- > > -- FAQ milis di http://wiki.linux.or.id/FAQ_milis_tanya-jawab Unsubscribe: kirim email ke [EMAIL PROTECTED] Arsip dan info milis selengkapnya di http://linux.or.id/milis
