This must be automated and/or a script kiddee. I have basically the same attack from another machine: in /var/log/secure I have Jul 15 13:03:49 mallard sshd[14051]: Illegal user test from 62.67.45.4 Jul 15 13:03:51 mallard sshd[14051]: Failed password for illegal user test from 62.67.45.4 port 50491 ssh2 Jul 15 13:03:53 mallard sshd[14053]: Illegal user guest from 62.67.45.4 Jul 15 13:03:55 mallard sshd[14053]: Failed password for illegal user guest from 62.67.45.4 port 50703 ssh2 Jul 15 13:03:56 mallard sshd[14055]: Illegal user admin from 62.67.45.4 Jul 15 13:03:58 mallard sshd[14055]: Failed password for illegal user admin from 62.67.45.4 port 50900 ssh2 Jul 15 13:03:59 mallard sshd[14057]: Illegal user user from 62.67.45.4 Jul 15 13:04:02 mallard sshd[14057]: Failed password for illegal user user from 62.67.45.4 port 51090 ssh2 Jul 15 13:04:05 mallard sshd[14059]: Failed password for root from 62.67.45.4 po rt 51267 ssh2 Jul 15 13:04:09 mallard sshd[14061]: Failed password for root from 62.67.45.4 po rt 51411 ssh2 I agree with Amadeus that this does not seem like a very sophisticated attack. I think it is common to see this sort of stuff that shouldn't be there in logs (including some times when there is a break-in). Machines are more secure than they used to be (I have had a half-dozen break-ins over the years but no apparent data loss in SUNs), but it still happens and it is prudent to back up important user files frequently. For security, the LinuxBenchmark.pdf document from www.cisecurity.org is a useful start (although their suggested rpm -F is not a good way to get updates). It is for an earlier RH version, but it is still useful for basic suggestions about how to turn off unneeded services, close unused ports, check file permissions, and the like. -- Phil
