0

I'm wondering if there is a security breach on my server. I was previewing the /var/log/messages file and I've been receiving a lot logging in and out and then some messages about "network unreachable resolving". Here is a sample of my last entries in the messages file. I'm running Centos 5.1.

Sep 24 10:03:23 ip-184-168-116-73 pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Sep 24 10:03:23 ip-184-168-116-73 pure-ftpd: (?@127.0.0.1) [INFO] __cpanel__service__auth__ftpd__mYPM6aAnC9051nEC0nS9vPMkaMz34VyA0HXbDApw_0Xan5OW3K9uqnlSAk98PzAq is now logged in
Sep 24 10:03:23 ip-184-168-116-73 pure-ftpd: (__cpanel__service__auth__ftpd__mYPM6aAnC9051nEC0nS9vPMkaMz34VyA0HXbDApw_0Xan5OW3K9uqnlSAk98PzAq@127.0.0.1) [INFO] Logout.
Sep 24 10:08:23 ip-184-168-116-73 pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Sep 24 10:08:24 ip-184-168-116-73 pure-ftpd: (?@127.0.0.1) [INFO] __cpanel__service__auth__ftpd__qUTJ2NFXeRRKXGjXVbjLQn2upJdGRaSGGSMDQna8wsEINYCTOrWUzxqiJp8rUT0S is now logged in
Sep 24 10:08:24 ip-184-168-116-73 pure-ftpd: (__cpanel__service__auth__ftpd__qUTJ2NFXeRRKXGjXVbjLQn2upJdGRaSGGSMDQna8wsEINYCTOrWUzxqiJp8rUT0S@127.0.0.1) [INFO] Logout.
Sep 24 10:09:19 ip-184-168-116-73 named[1502]: network unreachable resolving 'ns1.expired.r01.ru/A/IN': 2001:678:17:0:193:232:128:6#53
Sep 24 10:09:19 ip-184-168-116-73 named[1502]: network unreachable resolving 'ns2.expired.r01.ru/A/IN': 2001:678:17:0:193:232:128:6#53
Sep 24 10:09:19 ip-184-168-116-73 named[1502]: network unreachable resolving 'ns1.expired.r01.ru/AAAA/IN': 2001:678:17:0:193:232:128:6#53
Sep 24 10:09:19 ip-184-168-116-73 named[1502]: network unreachable resolving 'ns2.expired.r01.ru/AAAA/IN': 2001:678:17:0:193:232:128:6#53
Sep 24 10:09:19 ip-184-168-116-73 named[1502]: unexpected RCODE (SERVFAIL) resolving 'ns1.internet-spb.ru/A/IN': 109.70.26.37#53
Sep 24 10:09:19 ip-184-168-116-73 named[1502]: unexpected RCODE (SERVFAIL) resolving 'ns2.internet-spb.ru/A/IN': 109.70.26.37#53
Sep 24 10:09:19 ip-184-168-116-73 named[1502]: unexpected RCODE (SERVFAIL) resolving 'ns2.internet-spb.ru/AAAA/IN': 109.70.26.37#53
Sep 24 10:09:19 ip-184-168-116-73 named[1502]: unexpected RCODE (SERVFAIL) resolving 'ns1.internet-spb.ru/AAAA/IN': 109.70.26.37#53
Sep 24 10:09:19 ip-184-168-116-73 named[1502]: unexpected RCODE (SERVFAIL) resolving 'ns2.internet-spb.ru/A/IN': 194.85.61.76#53
Sep 24 10:09:19 ip-184-168-116-73 named[1502]: unexpected RCODE (SERVFAIL) resolving 'ns2.internet-spb.ru/AAAA/IN': 194.85.61.76#53
Sep 24 10:09:19 ip-184-168-116-73 named[1502]: unexpected RCODE (SERVFAIL) resolving 'ns1.internet-spb.ru/A/IN': 194.85.61.76#53
Sep 24 10:09:19 ip-184-168-116-73 named[1502]: unexpected RCODE (SERVFAIL) resolving 'ns1.internet-spb.ru/AAAA/IN': 194.85.61.76#53
Sep 24 10:12:11 ip-184-168-116-73 named[1502]: network unreachable resolving 'ns3.rnc.ro/A/IN': 2001:500:2e::1#53
Sep 24 10:13:25 ip-184-168-116-73 pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Sep 24 10:13:25 ip-184-168-116-73 pure-ftpd: (?@127.0.0.1) [INFO] __cpanel__service__auth__ftpd__s4ls4qxg3HrWFYi6ICTo0SJvgbJU6DSbALi95PAgNGK2rHENueFdmzXwkXY7GjMj is now logged in
Sep 24 10:13:25 ip-184-168-116-73 pure-ftpd: (__cpanel__service__auth__ftpd__s4ls4qxg3HrWFYi6ICTo0SJvgbJU6DSbALi95PAgNGK2rHENueFdmzXwkXY7GjMj@127.0.0.1) [INFO] Logout.
Sep 24 10:16:15 ip-184-168-116-73 named[1502]: client 199.180.114.183#36635: query (cache) 'cpsc.gov/ANY/IN' denied

If this is a hack then what settings do I need to change to ensure greater security?

Thank you and God bless<><

1 Answers1

2

looks like (a) your IPv6 configuration might be acting up, and (b) something is hitting your box (usually spam email) which is causing a DNS lookup to a spammy/non-existent domain which results in a failure.

Not really enough information to determine if you're compromised. Bare in mind though that EL5 is only getting maintenance updates now..so at this point you might want to consider EL7

In addition, Centos 5 is currently on version 5.11, so if you're actually on 5.1 as suggested above, you likely want to address that pretty quickly

dcr226
  • 76
  • 2
  • ok. Thank you. I guess the recommendation is to do a fresh install and probably do this on a second machine and test thoroughly before. I was just reading a few forums like this: http://serverfault.com/questions/579697/cpanel-centos-5-10-upgrade-to-6-4-recommendations and they don't recommend an upgrade esp. with major version upgrades. Your thoughts on the matter? – victorkimura Sep 26 '15 at 13:47