-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 7 May 2008, Gary Baribault wrote:
I don't know what is going on last night and this morning ... I have three
Linux servers facing the Internet, two on cable modems and another on a static
IP/commercial connection and this last one is a gateway to a
Web/FTP/SMTP/Pop3/NTP Linux based system.
I have DenyHosts installed on all three and have blocked about 75 attempts ..
from known compromised adresses .. The log shows (obviously) that there where
even more attempts from adresses that are unknown to DenyHosts but there was
only one login attemps per adress and it was with the Root account .. which is
obviously blocked in my sshd config ..
Of the three machines, one of them only had about 10 attempts, but the other
two had about 200 attempts .. all of them with only 1 try with the user Root
..
Is any one else seing this? or am I being targeted? This is still going on now
.. and it started arround 10:00 last night GMT+4
Hi,
have seen the same just recently. Around the same no. of attempts, every
one coming from a different host and all tries against the root account.
I haven't seen this before myself and I don't think it's generated by the
same ssh brute forcing malware practically every attackers seems to be
using. Anyone having followed up on this with the originating site and was
able to get the malware? (A colleague of mine is trying that right now but
the chances of getting the malware are slim ...)
Regards,
Andreas Bunten
-----BEGIN PGP SIGNATURE-----
iQEVAwUBSCHuYu67Mb58Bv0lAQFf2gf7BmcpowdlnoN4SAJwQtaTaMLrxBPJtcCn
2lD7E6KE4Um1TFggugqXtkxj+UT+gYOtKvET6zl9KzT7x1D2QpcWle1fg2Rjb6Ee
IX14n940VqEp6d79oG7dmdtuPoYFVeJrlT15HMjJ2D6xUGfSKizzDMtWzhHZG00y
JAm1T22mdUJw/ZtzsHsiWA7i72C8b9X3AAyp+02eCsQU12ROwCNBU5sOzU5sMob0
JaCvguNYL1+7TT0Kf+w7u2cU69f7WHcNMfY53Jf5L7ayvsDmLRzlSdmMFEONwIAu
MoDkCpHdlFGhAiH1ZtcCV+LF7K1YguFi/yTSxUVwGkUpdMfgZ+rPbg==
=Fycx
-----END PGP SIGNATURE-----
