0

Recently I receive an message from my ISP mentioning: "We have detected abuse from the IP address"

This message was send to us because a fail2ban application in some part of the world send an automatic message (I suppose it was automatic) to the ISP indicating the our IP what abusing FTP test.

My question is: Can this application wrongly detect an FTP test from ours server IP because someone else was faking an FTP test ?

This is the message the ISP received:

Mar 11 05:23:24 li244-67 sshd[10025]: Invalid user ftptest from xxx.xxx.xx.xxx
Mar 11 05:23:24 li244-67 sshd[10025]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xx.xxx
Mar 11 05:23:27 li244-67 sshd[10025]: Failed password for invalid user ftptest from xxx.xxx.xx.xxx port 47998 ssh2
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
Diego Quirós
  • 101
  • 2
  • 1
    What do you mean by "an FTP test"? – Michael Hampton Mar 20 '19 at 02:48
  • Michael, The log saids: "Invalid user ftptest" I supposed is an normal attempt to connect to a ftp server, what the error saids is in some server our ip was trying to make many fail attemps to connect. BUT I m pretty sure our server did not do that. – Diego Quirós Mar 20 '19 at 03:15
  • anx, no, the IP of the server has no change since at least 1 year. This messages were received some days ago. – Diego Quirós Mar 20 '19 at 03:20
  • 2
    `sshd[10025]: Invalid user ftptest` has nothing to do with FTP. It's failed SSH login. – Esa Jokinen Mar 20 '19 at 03:34

1 Answers1

2

Mar 11 05:23:24 li244-67 sshd[10025]: Invalid user ftptest from xxx.xxx.xx.xxx

The log excerpt shows that a connection attempt was made from the server with IP-address xxx.xxx.xx.xxx to log in to a server named "li244-67" with SSH (and not FTP) to a user account with the login name "ftptest" (and probably there were many other similar attempts with different password/username combinations.)

If that wasn't done by you or your users, then your server is probably compromised.
How do I deal with a compromised server?

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • Thanks for clarify me that it was a SSH attempt to connect, and no a FTP. We re going to investigate if our server could be compromised, but I m confident (and I hope) that is not the case. Finally is posible that and attacker is using a VPN faking his IP, with the same networks IPs that ours ISP gave us, and for that reason some this li244-67 server thinks that is our server that is trying to connects . – Diego Quirós Mar 20 '19 at 14:52
  • 1
    One cannot fake IP addresses like that. Someone is using your system to scan servers around the Internet. – Tero Kilkanen Mar 22 '19 at 08:28