Gary Baribault wrote:
> I don't know what is going on last night and this morning ... I have
> three Linux servers facing the Internet, two on cable modems and another
> on a static IP/commercial connection and this last one is a gateway to a
> Web/FTP/SMTP/Pop3/NTP Linux based system.
> I have DenyHosts installed on all three and have blocked about 75
> attempts .. from known compromised adresses .. The log shows
> (obviously) that there where even more attempts from adresses that are
> unknown to DenyHosts but there was only one login attemps per adress and
> it was with the Root account .. which is obviously blocked in my sshd
> config ..
> Of the three machines, one of them only had about 10 attempts, but the
> other two had about 200 attempts .. all of them with only 1 try with the
> user Root ..
> Is any one else seing this? or am I being targeted? This is still going
> on now .. and it started arround 10:00 last night GMT+4
Hi,
have seen the same just recently! Around the same no. of attempts, every
one coming from a different host and all tries against the root account.
I haven't seen this before myself and I don't think it's generated by the
same ssh brute forcing malware practically every attackers seems to be
using.
Anyone having followed up on this with the originating site and was
able to
get the malware? (A colleague of mine is trying that right now but the
chances of getting the malware are slim ...)
Regards,
Andreas Bunten
Intro
