On Sat, 2004-07-31 at 16:56, Christopher J. Bottaro wrote: > would someone like to explain what is going on to a newb? yall are > suffering hacking attempts from korea? or are the addresses spoofed > from korea or something? thanks. It appears that a number of people have noted login attempts on the ssh port. Many of these attempts appear to be from systems with IP addresses located in Korea. Not really surprising. Attempts like these occur all the time across the Internet. Tools such as nessus make this very easy to scan huge pools of IP addresses for easily exploited systems. This particular attempt appears to be automated and is probably a special purpose tool written that is looking for some particular type systems with known default user account names/passwords. It is possible that it is a virus that is trying to spread but viruses normally use a different method (mass emails primarly or compromised web servers). For the most part this is normal on the Internet. As long as you use strong passwords (8 characters or more, upper/lower case, numerics, special characters, non-dictionary based) and disable any services you don't actually need/use as well as use a firewall (both hardware and iptables) and keep your system patched there should be little to be worried about. The Internet is and has been a hostile space for some time. If you really want to see what is going on setup a system with snort or use ethereal and connect directly to a cable or dsl router. The number of port scans and attempts at accessing your system may surprise you. There is not a whole lot you can do about it except take precautions. Running chkrootkit and tripwire can alert you if something changes that should not. But if you do the other things mentioned above you should have little to worry about. Spending a lot of time and effort to track them down is not really worth it IMHO. -- Scot L. Harris webid@xxxxxxxxxx Most burning issues generate far more heat than light.
