On Sun, 2004-10-31 at 17:16 +0200, Haim Ashkenazi wrote: > for a few days now I see in the logs of my firewall (debian/stable) > entries about someone trying to connect to my SSH server with several > users (root, test, mysql, etc..) without success. today I saw an entry > which alarmed me: > Oct 31 14:37:17 coltrane sshd[17927]: Bad protocol version identification 'GNUTELLA CONNECT/0.6' from 192.168.0.5 This is probably what you would see if someone advertised a gnutella host with ip 192.168.0.1 (or whatever your server's ip is) and port 22. Noting to worry about. > running chkrootkit (0.43) I got this surprise (the short version): > parker:~/src/rkhunter# chkrootkit lkm > ROOTDIR is `/' > Checking `lkm'... You have 36 process hidden for readdir command > You have 36 process hidden for ps command > Warning: Possible LKM Trojan installed chkrootkit is know to sometimes produce false positives but these generally don't show up on repeated calls. There was a problem once with an incompatible libc or somesuch that could explain this (maybe see http://bugs.debian.org/chkrootkit). -- -- arthur - adejong@debian.org - http://people.debian.org/~adejong --
Attachment:
signature.asc
Description: This is a digitally signed message part