>>>>> "b" == bhiksha <bhiksha@xxxxxxxx> writes: b> Im not sure if "backup" was a valid account in the first place -- I have no such account on any of my machines, so it's certainly not there by default. However, it's possible that some package you installed created that account. I can't think of any package that might have done so; the BackupPC package in extras adds a "backuppc" account, but it's created disabled and with /sbin/nologin as the shell. b> Its easy to make out that its a classic dictionary attack -- b> they've tried about a hundred userids, and attempted to login b> several thousand times. They tried "backup" thrice and managed to b> get in. Well, if you expose port 22 to the Internet, you will find that there are hosts which constantly attempt dictionary attacks against you. You should install something like denyhosts if you want to have them automatically blocked. There are, however, many out there who just treat this as nothing more than noise in their logs. You should of course not leave your machine running and certainly not connected to the Internet; it should be wiped and reinstalled. If you want to do forensics, pull the drive first. There's no telling how many backdoors or malicious bits were installed. - J< -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
