I am seeing millions (literally) of these in the logs of my machines: sshd[30216]: Failed password for root from 203.71.62.9 port 35778 ssh2 I understand that this is some kind of virus, but it's not making me very happy because logcheck and and some of our IDS systems are going haywire, creating streams of false alarms. Other than blacklisting the IPs (which is a race I am going to lose), what are people doing? Are there any distinctive marks in the SSH login attempt that one could filter on? -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver! spamtraps: madduck.bogus@madduck.net "i wish there was a knob on the tv to turn up the intelligence. there's a knob called 'brightness', but it doesn't seem to work." -- gallagher
Attachment:
signature.asc
Description: Digital signature