One of my servers has a public interface. It is hit by ssh login
attempts on a daily basis and the count for that goes into the thousands
per week. The usernames that have been tried are root, admin,
administrator, etc.
For the last could of weeks I have been getting a lot of login attempts
for a user called "NOUSER". There were over 12000 during the week ending
5th August. The sources of the attempts are geographically
distributed, Norway, US, Korea, Taiwan, India, etc. But the username is
always the same, "NOUSER". I am guessing this is some kind of worm.
Aug 6 17:57:57 <HOSTNAME> pam_tally[28966]: pam_tally: pam_get_uid; no
such user NOUSER
Has anybody else seen such activity or has more information about it?
Anything I should worry about?
If it matters, the box runs an up-to-date FC6.
--
Regards,
विवेक ज. पाटणकर (Vivek J. Patankar)
Registered Linux User #374218
Fedora release 7 (Moonshine)
Linux 2.6.22.1-33.fc7 x86_64
