On Fri, 2004-07-30 at 05:45, Brian Fahrlander wrote: > rhost=216.97.110.1 : 1 Time(s) > authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= > rhost=ccia-062-204-197-193.uned.es : 1 Time(s) > > su: > Sessions Opened: > brian(uid=500) -> root: 1 Time(s) > > ------------------------------------------------------------------------ > > Ok, guys- what do we do with this? Should we be writing down the > addresses from which these attempts were made? They're probably all > 'stooge' addresses, I know, but it might help authorities to know what > other machines have been compromised... > > I'll go save the log somewhere... > > ------------------------------------------------------------------------ Other than double checking your system, running chkrootkit, verify tripwire is setup, monitoring logs, etc. The best thing you can do if you see the same addresses hitting your system is to block them in iptables. And if you don't really need ssh access out to the Internet disable that service. Every day people attempt to login into systems all over. There is no way anyone would be interested in doing anything unless they actually compromise an important system at a company or government facility. I could be wrong about that but I doubt if any government organization would lift a finger if someones personal system was hacked. (unless you have lots of money that is.) But like I said, I could be way to cynical about this. -- Scot L. Harris webid@xxxxxxxxxx The bug starts here.
