Hi, I've just had a strange email from a friend who seems to have had an email from an unsavoury character which I sent to a closed list on 20th Dec. I've checked my box for r00tkits (none found) and open ports and have found 1539 and 5335 open. A web search hasn't revealed very much on these and they seem innocent enough (well, 5335 has been used for a virus before now...) There are few things in my logs which are suspicious... First are a couple like this Jan 1 22:18:35 T7 sshd[31409]: Invalid user test from ::ffff:70.56.41.21 Jan 1 22:18:36 T7 sshd[31409]: Address 70.56.41.21 maps to prox.wares- consulting.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT! I seem to be subjected to a dictionary attack. I get users named guest, admin, test, patrick, rolo, iceuser, horde, cyrus, www, wwwrun, matt, jane, pamela, cosmin, cip52, cip51, noc, webmaster, user and no username etc. Most of the attacks come from three IP addresses (83.235.214.145, 66.78.52.253 and 216.180.243.178) using various ports to get through via ssh2. None have gotten through. Should I be overly worried? I've closed ssh on my router, so that's one line of defence in the way :-) TTFN Paul -- "He's not the Messiah, he's a very naughty boy!" - Life of Brian, Monty Python
Attachment:
signature.asc
Description: This is a digitally signed message part