I'm seeing lots of logs with this line:
Nov 7 03:47:41 s1 sshd[23430]: Received disconnect from XX.XXX.XX.XX: 11:
Nov 7 05:08:16 s1 sshd[24474]: Received disconnect from XX.XXX.XX.XX: 11:
Nov 7 06:33:59 s1 sshd[25526]: Received disconnect from XX.XXX.XX.XX: 11:
Nov 7 08:06:33 s1 sshd[26601]: Received disconnect from XX.XXX.XX.XX: 11:
Nov 7 09:24:14 s1 sshd[27460]: Received disconnect from XX.XXX.XX.XX: 11:
Nov 7 10:59:49 s1 sshd[28821]: Received disconnect from XX.XXX.XX.XX: 11:
Nov 7 12:14:39 s1 sshd[29894]: Received disconnect from XX.XXX.XX.XX: 11:
I've only paste 7 lines here but I have hundreds of them in the logs file. The IP is always the same.
I was told this indicates that my server was hacked and the attacker somehow managed to clear the log entries that registered the login information, because in order to have a "disconnect" message, I must have an "Accepted …" message for the same IP before. Is this true?
My questions are:
- With these logs can I conclude that my server was really hacked?
- What does this message even mean?
I've read somewhere that the :11 stands for: "SSH2_DISCONNECT_BY_APPLICATION" but I don't understand what it really means.
The server runs CentOS and has SSH password authentication turned off. The only logs that says "Accepted publickey …" are from my own public IP address. So I guess they are not logging in through that method, unless the attacker is really clearing any trace, correct?
Many thanks in advance.
Best Answer
it is brute force attacks
this is method try to find login access by sending login request then testing the result, as long as result is not logged in, it retry another combinaison of login/password until access is granted
mainly aimed on internet:
to prevent this kind of attacks:
Today most of system tool are enougth secure against this kind of attacks
i don't think you get hacked unless you had an low couple login/password level. this log don't say anything except the attemps failed.
if Hackers got logged in they would have deleted all logs, not only some logs (too much time for nothing).
What you can do (if you really think you have been hacked) is to check if you have a period without logs or missings logs.
as suggeted you can use some tool to prevent thoose attacks like
fail2ban
For information the message
SSH2_DISCONNECT_BY_APPLICATION
in your case mean that this is a zombie login attempt from a botnet that is authored in Java