Need help with my server log

poqdavid · May 21, 2022, 7:38pm

I just checked my server logs and noticed some odd things in it

2022-05-20 09:36:48.089872|INFO    |Query         |   |query from 230 176.111.173.44:35788 attempted to login with account "admin" and failed!
2022-05-20 09:36:51.208815|INFO    |Query         |   |query from 230 176.111.173.44:35788 attempted to login with account "admin" and failed!
2022-05-20 09:36:54.325956|INFO    |Query         |   |query from 230 176.111.173.44:35788 attempted to login with account "admin" and failed!
2022-05-20 14:52:31.855916|INFO    |Query         |   |query from 547 193.169.255.38:59660 attempted to login with account "gittest" and failed!
2022-05-20 14:52:35.014230|INFO    |Query         |   |query from 547 193.169.255.38:59660 attempted to login with account "oracle" and failed!
2022-05-20 14:52:38.132973|INFO    |Query         |   |query from 547 193.169.255.38:59660 attempted to login with account "postgres" and failed!
2022-05-20 17:04:30.564336|INFO    |Query         |   |query from 682 176.111.173.44:39820 attempted to login with account "admin" and failed!
2022-05-20 17:04:33.680362|INFO    |Query         |   |query from 682 176.111.173.44:39820 attempted to login with account "admin" and failed!
2022-05-20 17:04:36.795098|INFO    |Query         |   |query from 682 176.111.173.44:39820 attempted to login with account "admin" and failed!
2022-05-21 00:29:16.914996|INFO    |Query         |   |query from 1130 176.111.173.44:33912 attempted to login with account "admin" and failed!
2022-05-21 00:29:20.038209|INFO    |Query         |   |query from 1130 176.111.173.44:33912 attempted to login with account "admin" and failed!
2022-05-21 00:29:23.159548|INFO    |Query         |   |query from 1130 176.111.173.44:33912 attempted to login with account "admin" and failed!
2022-05-21 06:16:47.245759|INFO    |Query         |   |query from 1479 193.169.255.38:6566 attempted to login with account "postgres" and failed!
2022-05-21 06:16:50.364107|INFO    |Query         |   |query from 1479 193.169.255.38:6566 attempted to login with account "postgres" and failed!
2022-05-21 06:16:53.486822|INFO    |Query         |   |query from 1479 193.169.255.38:6566 attempted to login with account "sftpuser" and failed!
2022-05-21 07:55:21.939182|INFO    |Query         |   |query from 1580 176.111.173.44:42722 attempted to login with account "admin" and failed!
2022-05-21 07:55:25.065964|INFO    |Query         |   |query from 1580 176.111.173.44:42722 attempted to login with account "admin" and failed!
2022-05-21 07:55:28.186123|INFO    |Query         |   |query from 1580 176.111.173.44:42722 attempted to login with account "admin" and failed!
2022-05-21 15:22:04.953772|INFO    |Query         |   |query from 2028 176.111.173.44:50318 attempted to login with account "admin" and failed!
2022-05-21 15:22:08.071723|INFO    |Query         |   |query from 2028 176.111.173.44:50318 attempted to login with account "admin" and failed!
2022-05-21 15:22:11.184890|INFO    |Query         |   |query from 2028 176.111.173.44:50318 attempted to login with account "admin" and failed!
2022-05-21 17:10:23.778898|INFO    |Query         |   |query from 2138 193.169.255.38:31118 attempted to login with account "test" and failed!
2022-05-21 17:10:26.898457|INFO    |Query         |   |query from 2138 193.169.255.38:31118 attempted to login with account "test" and failed!
2022-05-21 17:10:30.015470|INFO    |Query         |   |query from 2138 193.169.255.38:31118 attempted to login with account "test" and failed!

and also, my server had a crash after I thought I got this

2022-05-21 18:23:10.489935|ERROR |Accounting | |failed to register local accounting service: Bad file descriptor

It feels like someone is trying to get into my server. What do you guys think?

TS.ChrisR · May 21, 2022, 8:18pm

Yes. You may close or change the port for ServerQuery.

And this error happens when the server can not access shared memory (/dev/shm).

Rikku · May 21, 2022, 8:19pm

for some reason the shared memory became unavailable for the system(Bad file descriptor)

poqdavid · May 21, 2022, 8:23pm

I will just block the ports by the firewall, since I don’t really use them, I use TS3 Manager
Also forgot to add that memory error is odd never had that before

poqdavid · May 21, 2022, 10:45pm

From what I figured out they were trying to access remote shell to my server not specifically attacking ts3

Rikku · May 22, 2022, 12:46pm

Please ensure that /dev/shm is properly mounted

poqdavid · May 22, 2022, 12:58pm

It is haven’t got that error like the whole day

TS.ChrisR · May 8, 2023, 10:57am

Google is your friend

https://www.abuseipdb.com/check/176.111.173.193

Close the Port for ServerQuery for connections from outside the machine or add a whitelist of IPs to your firewall.

JaXnPrivate · May 8, 2023, 3:35pm

Add an GeoIP Whitelist or use something like SpamHouse (think they have a Danger IP List), where Hostnames from Hacked Servers etc are stored.

For example my Ubiquiti Security Gateway has this type of IP Filter

Because this is a bit offtopic, feel free to contact me if you have any questions

poqdavid · May 9, 2023, 12:32pm

XD yeah I just blocked the port entirely but that looks like a nicer solution