Is this a security breach?

Gavin asked:

I have a server running Ubuntu 10.04LTS (I know it is too old), which over the last couple of weeks has on occasion been unresponsive to network traffic, and needed a hard reset first thing in the morning (9am when the office opens).

I have looked through kern.log and noticed a pattern.

After this happens there is usually a UFW block from an incoming external ip address, CIFS VFS error, another UFW block from a different ip address and then nothing logged until the restart. I’m not sure if this means the server has crashed and logging stopped or if the log has been turned off or sanitized.

The external IP addresses vary each time.

Example log:

Feb 19 01:46:43 Server1 kernel: [139893.285676] [UFW BLOCK] IN=eth0 OUT= MAC=00:26:b9:2e:79:5c:3c:81:d8:44:41:00:08:00 SRC=50.30.32.186 DST=10.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=107 ID=2976 DF PROTO=TCP SPT=57588 DPT=80 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0 
Feb 19 02:57:20 Server1 kernel: [144130.370015]  CIFS VFS: No response for cmd 50 mid 52893
Feb 19 02:57:21 Server1 kernel: [144130.760010]  CIFS VFS: No response to cmd 4 mid 52894
Feb 19 02:57:21 Server1 kernel: [144130.760015]  CIFS VFS: Send error in Close = -11
Feb 19 03:36:47 Server1 kernel: [146497.272912] [UFW BLOCK] IN=eth0 OUT= MAC=00:26:b9:2e:79:5c:3c:81:d8:44:41:00:08:00 SRC=86.108.49.79 DST=10.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=109 ID=29914 DF PROTO=TCP SPT=65452 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
Feb 19 09:00:56 Server1 kernel: [165946.155435] [UFW BLOCK] IN=eth0 OUT= MAC=00:26:b9:2e:79:5c:00:21:9b:29:91:aa:08:00 SRC=169.254.164.54 DST=10.0.0.1 LEN=89 TOS=0x00 PREC=0x00 TTL=255 ID=24 PROTO=UDP SPT=64676 DPT=53 LEN=69

Does this look like an attempted / successful attack, or a problem with the server itself?

UPDATE

Looks like the general consensus is that this is not an attack but a bug.
As I was fixated on a security breach I neglected to mention that this morning, restarting the server didn’t fix all the problems and I to troubleshoot a little more. During this I plugged the server into a different port on the switch and things worked shortly after. Just tested the port again and it seems dead. Would this cause and error that would stop logging to kern.log?

My answer:


The firewall entries and the CIFS errors have no obvious relation to each other; they occur way too many minutes apart. And besides, that traffic was blocked.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.