Re: SSH attack
On Sun, 2 Oct 2005 22:57:25 -0700
Jared Hall <jrhall@gmail.com> wrote:
> It looks like I am being rooted right now. How do I toss this guy off
> of my system. he has an IP address of 210.95.212.131
It's happening here. I've logged thousands of attempts from chinanet
and kornet within the last few days. I've reported (as if that would do
any good) with "Free Tibet" and of course copies of the log - 500K in
one instance(!) but am more interested in just blocking their
entire /24 if need be.
The question is - how?
IP 210.95.212.131 (using whois) belongs to pubnet.ne.kr. I'd send a
heads up email to abuse@pubnet.ne.kr and CC it to ip@pubnet.ne.kr.
> Please get back to me fast. I took the compilers off of the system,
If you only see "Failed attempt" then you're probably safe - there are
probably script kiddies running password sniffers or crackers. Note the
port(s) tried - in my case they are non-standard ones - and block them
with your firewall. Check and/or install chkrootkit.
I certainly hope you're not infected, and if so, you'll need to
reinstall.
> Jared
--
------------------------------------------------------------------------
David E. Fox Thanks for letting me
dfox@tsoft.com change magnetic patterns
dfox@m206-157.dsl.tsoft.com on your hard disk.
-----------------------------------------------------------------------
Reply to: