[HLUG] Last couple of messages didn't go through
tundish
tundish at thuswise.org.uk
Wed Jan 4 02:36:38 GMT 2006
>>I have noticed someone has been/or trying to gain access to my ssh on my
>>linux server. I get a log sent to my gmail account every hour from my
>>router. I have noticed that the ssh port 22 being used. see below.
>>
>>Wed, 2005-12-28 19:29:02 - TCP Packet - Source:202.63.114.43,46799
>>Destination:192.168.0.2,22 - [SSH match]
>>Wed, 2005-12-28 19:29:14 - TCP Packet - Source:202.63.114.43,48700
>>Destination:192.168.0.2,22 - [SSH match]
>>Wed, 2005-12-28 19:29:17 - TCP Packet - Source:202.63.114.43,48779
>>Destination:192.168.0.2,22 - [SSH match]
>>Wed, 2005-12-28 19:29:21 - TCP Packet - Source:202.63.114.43,48858
>>Destination:192.168.0.2,22 - [SSH match]
>>Wed, 2005-12-28 19:29:26 - TCP Packet - Source:202.63.114.43,49768
>>Destination:192.168.0.2,22 - [SSH match]
>>
This is an odd little site:
http://202.63.114.43/
Couldn't find who owns it though:
http://www.networksolutions.com/whois
Maybe someone's doing an nmap scan. Notice how the port numbers change.
I'm not an expert at all, but I think the idea is to find out what
version of OpenSSH you have, in case there's an exploit for it.
Make sure you remove useful information (like your kernel version and
arch) from your SSH login message.
Cheers,
Dave.
More information about the Herefordshire
mailing list