0

This is the last log entry in /var/log/messages and after this the machine has been stopped. How can I debug why the machine has been stopped?

I am not sure but maybe the system stops comes from the foreign attack because there was a lot of "Authentication failed" from pure-ftpd.

Server details:

  • CentOS release 6.3
  • Kernel 2.6.32-279.1.1.el6.x86_64

  • AWS EC2 m1.small instance

    Jun 17 06:48:55 xxxxx pure-ftpd: (?@178.212.111.31) [WARNING] Authentication failed for user [xxxxx.us]
Jun 17 06:48:55 xxxxx pure-ftpd: (?@178.212.111.31) [INFO] Logout.
Jun 17 06:48:55 xxxxx pure-ftpd: (?@178.212.111.31) [INFO] New connection from 178.212.111.31
Jun 17 06:49:01 xxxxx pure-ftpd: (?@178.212.111.31) [WARNING] Authentication failed for user [xxxxx.us]
Jun 17 06:49:01 xxxxx pure-ftpd: (?@178.212.111.31) [INFO] Logout.
Jun 17 08:36:10 xxxxx pure-ftpd: (?@195.23.240.21) [INFO] New connection from 195.23.240.21
Jun 17 08:36:17 xxxxx pure-ftpd: (?@195.23.240.21) [WARNING] Authentication failed for user [admin]
Jun 17 08:36:17 xxxxx pure-ftpd: (?@195.23.240.21) [INFO] Logout.
Jun 17 09:06:54 xxxxx init: tty (/dev/tty1) main process (1258) killed by TERM signal
Jun 17 09:06:54 xxxxx init: tty (/dev/tty2) main process (1260) killed by TERM signal
Jun 17 09:06:54 xxxxx init: tty (/dev/tty3) main process (1262) killed by TERM signal
Jun 17 09:06:54 xxxxx init: tty (/dev/tty4) main process (1264) killed by TERM signal
Jun 17 09:06:54 xxxxx init: serial (hvc0) main process (1266) killed by TERM signal
Jun 17 09:06:54 xxxxx init: tty (/dev/tty5) main process (1267) killed by TERM signal
Jun 17 09:06:54 xxxxx init: tty (/dev/tty6) main process (1269) killed by TERM signal
Jun 17 09:07:08 xxxxx abrtd: Got signal 15, exiting
Jun 17 09:07:12 xxxxx init: Disconnected from system bus
Jun 17 09:07:12 xxxxx auditd[1296]: The audit daemon is exiting.
Jun 17 09:07:12 xxxxx kernel: type=1305 audit(1402996032.289:34539): audit_pid=0 old=1296 auid=4294967295 ses=4294967295 res=1
Jun 17 09:07:12 xxxxx kernel: type=1305 audit(1402996032.427:34540): audit_enabled=0 old=1 auid=4294967295 ses=4294967295 res=1
Jun 17 09:07:12 xxxxx kernel: Kernel logging (proc) stopped.
Jun 17 09:07:12 xxxxx rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="12339" x-info="http://www.rsyslog.com"] exiting on signal 15.
ibedelovski
  • 513
  • 4
  • 9
  • 20
  • Please also provide the version of pure-ftpd, might be a known exploit for it. That coupled with the older Kernel could be your culprit. There was recently a local-user privilege escalation vulnerability found. –  Jun 18 '14 at 16:25
  • This is my current pure-ftpd version: pure-ftpd.x86_64 1.0.30-1.el6 – ibedelovski Jun 19 '14 at 08:02

1 Answers1

0

I believe this is a simple matter of resource allocation with AWS. If your pure-ftpd was getting bruteforced, it would have pegged one of your allocations up to the burst allowance. I am not terribly familiar with how Amazon instances work but this answer applies to a m1.micro -- it's possible that AWS shut down your instance (even though it was a slightly higher offering).

However, the good news is that your pure-ftpd is the latest package available so from my perusal, I'm not seeing any exploits. The bad news is that your kernel is way old (latest according to my VM is 2.6.32-431.el6) -- which has several.

My recommendation would be to build a new instance with the latest everything updated just to be safe, then migrate anything over to it after taking security precautions, just in case you were compromised. Additionally, I would highly recommend installing fail2ban (at a minimum) and look into various IDS or firewalling strategies to help lower your attack surface.

Community
  • 1