Hack Attempt warning


Recommended Posts

Hi there, someone else posted this a year ago, but the string didn't have a clear answer. what should I do with this warning?I 

 

On Mar 2 there were 301 invalid login attempts. This could either be yourself attempting to login to your server (SSH / Telnet) with the wrong user or password, or you could be actively be the victim of hack attacks. A common cause of this would be placing your server within your router's DMZ, or improperly forwarding ports.

This is a major issue and needs to be addressed IMMEDIATELY

NOTE: Because this check is done against the logged entries in the syslog, the only way to clear it is to either increase the number of allowed invalid logins per day (if determined that it is not a hack attempt) or to reset your server. It is not recommended under any circumstance to ignore this error

Link to comment

who the F** is this guy?? i see in the Syslog multiple failed attempt. please see below attachment. what should i do??

error: Could not get shadow information for NOUSER
Mar  2 13:00:53 Tower sshd[22552]: Failed none for invalid user admin from 10.0.1.137 port 51262 ssh2
Mar  2 13:00:53 Tower sshd[22552]: Failed password for invalid user admin from 10.0.1.137 port 51262 ssh2
Mar  2 13:00:53 Tower sshd[22552]: Connection closed by invalid user admin 10.0.1.137 port 51262 [preauth]
Mar  2 13:00:57 Tower sshd[22566]: Invalid user admin from 10.0.1.137 port 51887.....

 

syslog.txt

Link to comment

Other things in Diagnostics can make it a lot easier to work with syslog. Sometimes I never even look at syslog, other times I only look at syslog after looking at other things in Diagnostics. One thing in diagnostics that would be easy to find in this case was the IP address of your server (in system/ifconfig.txt) to check if it was the same subnet as the attacker.

Link to comment

It Was just seating in the basement doing nothing until todays power outage. What’s is all these ports with IP, I don’t have none of them open!! And how could my PC try to log in to my unraid server?? I don’t get it. 
It’s disconnected now. Did you see anything else on the system file?  

Link to comment

Since the "attacker" is on your LAN you are not protected from it by the firewall of your router. Possibly that PC is infected, or maybe it is allowing access from outside your LAN.

 

Reboot your server to get your logs cleared, wait a while, then post new diagnostics.

Link to comment
2 hours ago, trurl said:

Since the "attacker" is on your LAN you are not protected from it by the firewall of your router. Possibly that PC is infected, or maybe it is allowing access from outside your LAN.

 

Reboot your server to get your logs cleared, wait a while, then post new diagnostics.

I want to make sure by PC you means the old PC not the Unraid server right. 
i don’t know what you mean with “allowing access from outside LAN”

i use LAN to access the internet. 
In case I use this old PC how do I prevent it from accessing my network mean my server and other computers. I want to use is only to access the internet. 
 

i will reboot the server and post the diagnostic. 
should I ignore that warning or just reboot. 

Link to comment
12 minutes ago, ssinseeme said:

by PC you means the old PC not the Unraid server right.

right

 

13 minutes ago, ssinseeme said:

i don’t know what you mean with “allowing access from outside LAN”

Perhaps someone (or a bot) was using that old PC to gain access to your local network from outside.

 

If you really want to use that old PC you should make sure it is clean before attaching it to your LAN.

Link to comment
1 hour ago, ssinseeme said:

i don’t know what you mean with “allowing access from outside LAN”

This is probably unlikely, but did you ever enable Remote Desktop Connection or anything similar on that machine?  That might include other remote control tools such as TeamViewer.  They have legitimate uses, but only if you're in control of their use.   

 

You mentioned a power failure.  Did that PC start up by itself afterwards?    Another safe guard would be to check that PC's power settings in the BIOS.  Unless you need it to power up automatically (if the PC was unused then it probably isn't) then I would set it to not power up when the AC power is applied.  The behaviour on restoration of AC power is generally configured in e PC's BIOS settings.  Normally you would have most machines set to stay powered off at that time, although a reasonable exception would be on machines such as your Unraid server that you might want to restart without supervision. 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.