Re: SSH attack
I took care of it all last night a couple of minutes after I posted.
Here's what I did.
I looked at my logs and found that there was no successful root login.
the reason netstat was showing another root connection from the
mentioned ip is that the script kiddie was rapidly connecting to my
sshd service and trying to crack root, and a whole bunch of
nonexistent users. This machine only has two accounts on it, root,
and my own. Both have extremely complicated passwords, so there's no
way a script could have guessed it anyway. I couldn't kill the user
because the connections were opening and closing too quickly. I
blocked the ip using /etc/hosts.deny on each of my servers. The kids
were looking at each of my ip's trying to find vulnerabilities... but
not anymore. I sent to and email to firstname.lastname@example.org to let the
administrator know that one of their users is using scripts to attack
servers over ssh (possibly using a mix of names from some of my mail
user accounts and common names). I'm waiting for a reply still.
thanks for the input.