I got a new Virtual Rack server @ThePlanet the other day. Then I got this ticket:

Dear Customer,

We have received reports of brute force attacks originating from this server. This indicates possible server compromise, and is your responsibility to investigate and resolve. However, should you require help, please contact our professional service. Be advised that should we receive further reports we may be forced to step in to prevent further abuse of our networks.
For your convenience, please see attached report.

Regards,
Nick
Abuse Department
The Planet

Time: Mon Aug 31 05:02:26 2009 -0500
IP: 174.120.132.1xx (-/-/xx.84.78ae.static.theplanet.com)
Failures: 5 (sshd)
Interval: 300 seconds
Blocked: Yes

Log entries:

Aug 31 05:02:22 whm sshd[9165]: Invalid user t1na from 174.120.132.xx Aug 31 05:02:24 whm sshd[9165]: Failed password for invalid user t1na from 174.120.132.xx port 59515 ssh2 Aug 31 05:02:24 whm sshd[9167]: Invalid user t1na from 174.120.132.xxx Aug 31 05:02:26 whm sshd[9167]: Failed password for invalid user t1na from 174.120.132.xxx port 59766 ssh2 Aug 31 05:02:26 whm sshd[9169]: Invalid user logic from 174.120.132.xxx

Has anyone had this problem before? =/

Greetings:

1. All servers are insecure out of the box.

2. Always check with the data center / provider to see if server hardening, AND ongoing hardening is included; always check if the ongoing hardening is proactive vs. reactive.

3. The overwhelming majority of hacking is random. Hackers (who often use GUI-based tools that are easy enough for children in middle school to learn) put in ranges of IP's looking for vulnerable systems (i.e. kids in a parking lot going from vehicle to vehicle checking for open doors, windows), and then once finding them dig deeper; and often times google.com is used to find such systems.

Therefore, if your server is no hardened, if your server is not kept hardened, and if the applications you run on the server are not kept up to date, you will be an easy target.

Now, what to do:

A. Clean your server of the hack(s) on the server that are allowing unauthorized parties to attack other servers.

B. Harden your server, and have a plan to keep it hardened (there is no such thing as a one time project for server hardenings). Think of a server hardening as charging a battery; over time the battery becomes dead.

Typically ongoing hardening can be one to several times per month; more intense if you do it in-hosue.

C. Make sure the applications on the server (Joomla, WordPress, etc.) are up to date.

Thank you.

So, you have this new server and it already has this issue?
Maybe from a former renter?

Greetings:

Thanks to Jesus this is our 14th year in business.

In those 14 years, we've seen attacks against servers within 10 minutes or less of their being plugged into the Internet.

Your car (server), so to write, doesn't have to be in the (Internet) parking lot for years before kids try the doors; you could have just pulled in.

Thank you.

I resolved the issue. Basically, the virgin OS had a devil of an IP address going at her. Anyone setting up a server anywhere should secure and harden their server AS SOON AS IT COMES ONLINE! I put updating off because I didn't immediately need the server. I also had to get CentOS 64 instead of my favorite Debian Lenny 64. Only RH and CentOS are supported for advanced services on the virtual rack platform. This was another reason I dragged my feet securing the new server. I'm blah about yum.

From now on, when I get a new server, the first thing I'll do is change the SSH port. That has the tendency to stave off the majority of attacks and buys the time to properly harden.

Cheers

Greetings:

I'm glad you got it resolved; and correct on hardening quickly.

Thank you.