[HLUG] Last couple of messages didn't go through

tundish tundish at thuswise.org.uk
Wed Jan 4 02:36:38 GMT 2006


>>I have noticed someone has been/or trying to gain access to my ssh on my
>>linux server. I get a log sent to my gmail account every hour from my
>>router. I have noticed that the ssh port 22 being used. see below.
>>
>>Wed, 2005-12-28 19:29:02 - TCP Packet - Source:202.63.114.43,46799
>>Destination:192.168.0.2,22 - [SSH match]
>>Wed, 2005-12-28 19:29:14 - TCP Packet - Source:202.63.114.43,48700
>>Destination:192.168.0.2,22 - [SSH match]
>>Wed, 2005-12-28 19:29:17 - TCP Packet - Source:202.63.114.43,48779
>>Destination:192.168.0.2,22 - [SSH match]
>>Wed, 2005-12-28 19:29:21 - TCP Packet - Source:202.63.114.43,48858
>>Destination:192.168.0.2,22 - [SSH match]
>>Wed, 2005-12-28 19:29:26 - TCP Packet - Source:202.63.114.43,49768
>>Destination:192.168.0.2,22 - [SSH match]
>>

This is an odd little site:
http://202.63.114.43/

Couldn't find who owns it though:
http://www.networksolutions.com/whois

Maybe someone's doing an nmap scan. Notice how the port numbers change. 
I'm not an expert at all, but I think the idea is to find out what 
version of OpenSSH you have, in case there's an exploit for it.

Make sure you remove useful information (like your kernel version and 
arch) from your SSH login message.

Cheers,

Dave.



More information about the Herefordshire mailing list