请帮忙分析服务器是否存在匿名访问或受到攻击，多谢！

jenkyfang · 发表于 2004-9-7 09:21:51

OS版本:RedHat 9 professional
如需要检查是否受到攻击或非法访问，一般是查看什么文件，
步骤是如何？万分感谢！

以下的信息来自/var/log/messages

Sep  6 22:52:44 oa vsftpd(pam_unix)[3446]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=64.60.70.218
Sep  6 22:52:44 oa vsftpd(pam_unix)[3448]: check pass; user unknown
Sep  6 22:52:44 oa vsftpd(pam_unix)[3448]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=64.60.70.218
Sep  6 22:52:44 oa vsftpd(pam_unix)[3450]: check pass; user unknown
Sep  6 22:52:44 oa vsftpd(pam_unix)[3450]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=64.60.70.218
Sep  6 22:52:45 oa vsftpd: warning: can't get client address: Bad file descriptor
Sep  6 22:52:45 oa vsftpd(pam_unix)[3452]: check pass; user unknown
Sep  6 22:52:45 oa vsftpd(pam_unix)[3452]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=64.60.70.218
Sep  6 22:52:50 oa vsftpd: warning: can't get client address: Bad file descriptor
Sep  6 22:52:50 oa vsftpd(pam_unix)[3454]: check pass; user unknown
Sep  6 22:52:50 oa vsftpd(pam_unix)[3454]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=64.60.70.218
Sep  6 22:52:51 a vsftpd: warning: can't get client address: Bad file descriptor
Sep  6 22:52:51 oa last message repeated 2 times
Sep  6 22:52:51 oa vsftpd(pam_unix)[3456]: check pass; user unknown
Sep  6 22:52:51 oa vsftpd(pam_unix)[3456]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=64.60.70.218
Sep  6 22:52:51 oa vsftpd(pam_unix)[3458]: check pass; user unknown
Sep  6 22:52:51 oa vsftpd(pam_unix)[3458]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=64.60.70.218
Sep  6 22:52:54 oa vsftpd: warning: can't get client address: Bad file descriptor

sealinger · 发表于 2006-11-21 17:43:17

我也经常有这种日志，那些人是用什么工具来攻击的呢？？

Nov 19 06:35:13 mail vsftpd(pam_unix)[17525]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=202.96.59.201
Nov 19 06:35:15 mail vsftpd(pam_unix)[17527]: check pass; user unknown
Nov 19 06:35:15 mail vsftpd(pam_unix)[17527]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=202.96.59.201
Nov 19 06:35:16 mail vsftpd(pam_unix)[17525]: check pass; user unknown
Nov 19 06:35:16 mail vsftpd(pam_unix)[17525]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=202.96.59.201
Nov 19 06:35:18 mail vsftpd(pam_unix)[17527]: check pass; user unknown
Nov 19 06:35:18 mail vsftpd(pam_unix)[17527]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=202.96.59.201
Nov 19 06:35:18 mail vsftpd(pam_unix)[17525]: check pass; user unknown
Nov 19 06:35:18 mail vsftpd(pam_unix)[17525]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=202.96.59.201
Nov 19 06:35:20 mail vsftpd(pam_unix)[17527]: check pass; user unknown
Nov 19 06:35:20 mail vsftpd(pam_unix)[17527]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=202.96.59.201
Nov 19 06:35:20 mail vsftpd(pam_unix)[17525]: check pass; user unknown
Nov 19 06:35:20 mail vsftpd(pam_unix)[17525]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=202.96.59.201
Nov 19 06:35:22 mail vsftpd(pam_unix)[17527]: check pass; user unknown
Nov 19 06:35:22 mail vsftpd(pam_unix)[17527]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=202.96.59.201
Nov 19 06:35:23 mail vsftpd(pam_unix)[17525]: check pass; user unknown
Nov 19 06:35:23 mail vsftpd(pam_unix)[17525]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=202.96.59.201
Nov 19 06:35:25 mail vsftpd(pam_unix)[17527]: check pass; user unknown
Nov 19 06:35:25 mail vsftpd(pam_unix)[17527]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=202.96.59.201
Nov 19 06:35:25 mail vsftpd(pam_unix)[17525]: check pass; user unknown
Nov 19 06:35:25 mail vsftpd(pam_unix)[17525]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=202.96.59.201
Nov 19 06:35:28 mail vsftpd(pam_unix)[17527]: check pass; user unknown
Nov 19 06:35:28 mail vsftpd(pam_unix)[17527]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=202.96.59.201
Nov 19 06:35:28 mail vsftpd(pam_unix)[17525]: check pass; user unknown
Nov 19 06:35:28 mail vsftpd(pam_unix)[17525]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=202.96.59.201
Nov 19 06:35:30 mail vsftpd(pam_unix)[17527]: check pass; user unknown
Nov 19 06:35:30 mail vsftpd(pam_unix)[17527]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=202.96.59.201
Nov 19 06:35:30 mail vsftpd(pam_unix)[17525]: check pass; user unknown
Nov 19 06:35:30 mail vsftpd(pam_unix)[17525]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=202.96.59.201
Nov 19 06:35:32 mail vsftpd(pam_unix)[17527]: check pass; user unknown

再看 logwatch 的记录：

vsftpd:
Unknown Entries:
   check pass; user unknown: 12252 Time(s)
   authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=64.107.76.15 : 11841 Time(s)
   authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=218.94.26.146 : 409 Time(s)

恐怖吧，1W多次啊。。。

		自动登录	找回密码
密码			注册

请帮忙分析服务器是否存在匿名访问或受到攻击，多谢！

浏览过的版块