1

I received the last week a lot of e-mails from the company where I have a server.. Can somebody please help me to fix this 'abuse'? Using Linux Debian 8

We have detected abuse from the IP address XX.XX.XXX.XX, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.

Log lines are given below, but please ask if you require any further information.

(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)

Note: Local timezone is +0100 (CET) Dec 16 07:06:34 jazzmessengers sshd[27500]: Connection closed by XX.XX.XXX.XX

Dec 16 07:06:39 jazzmessengers sshd[27581]: Failed password for root from XX.XX.XXX.XX port 35074 ssh2

Dec 16 07:06:41 jazzmessengers sshd[27581]: Failed password for root from XX.XX.XXX.XX port 35074 ssh2

Dec 16 07:06:43 jazzmessengers sshd[27581]: Failed password for root from XX.XX.XXX.XX port 35074 ssh2

Dec 16 07:06:43 jazzmessengers sshd[27583]: Connection closed by XX.XX.XXX.XX

Dec 16 09:14:58 jazzmessengers sshd[10829]: Invalid user test from XX.XX.XXX.XX

Dec 16 09:15:00 jazzmessengers sshd[10850]: Invalid user test from XX.XX.XXX.XX

Dec 16 09:15:01 jazzmessengers sshd[10829]: Failed password for invalid user test from XX.XX.XXX.XX port 40769 ssh2

Dec 16 09:15:02 jazzmessengers sshd[10829]: Failed password for invalid user test from XX.XX.XXX.XX port 40769 ssh2

Dec 16 09:15:02 jazzmessengers sshd[10831]: Connection closed by XX.XX.XXX.XX

Dec 16 09:15:02 jazzmessengers sshd[10850]: Failed password for invalid user test from XX.XX.XXX.XX port 44143 ssh2

Dec 16 09:15:04 jazzmessengers sshd[10850]: Failed password for invalid user test from XX.XX.XXX.XX port 44143 ssh2

Dec 16 11:17:35 jazzmessengers sshd[28958]: Invalid user samba from XX.XX.XXX.XX

Dec 16 11:17:38 jazzmessengers sshd[28958]: Failed password for invalid user samba from XX.XX.XXX.XX port 57529 ssh2

(I removed a part because Stackoverflow thought it was spam..)

Dec 16 17:11:40 jazzmessengers sshd[28478]: Failed password for invalid user comercial from XX.XX.XXX.XX port 46737 ssh2

Dec 16 17:11:40 jazzmessengers sshd[28480]: Connection closed by XX.XX.XXX.XX

Dec 16 17:11:40 jazzmessengers sshd[28489]: Invalid user comercial from XX.XX.XXX.XX

Ask_Overflow
  • 15
  • 4
  • 1
    There's someone just trying to brute force another server from your network. Discover who is and fire him :) – sysfiend Dec 19 '16 at 11:23
  • 1
    Your server seems to be hacked and somebody is using it to break into other hosts. This is why you got this message from hosting company. Employ an admin to close the holes. – gertas Dec 19 '16 at 15:11

1 Answers1

0

You server is being used to bruteforce into other servers via SSH.

The "victim" have installed Fail2Ban with the "complain" function that performs a whois lookup (via ripe.net) and send out email to the address which is associated with the IP-range.

You should clean up your server from malware/viruses or other bad stuff (suchs as evil users)

Orphans
  • 1,404
  • 17
  • 26