[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Any danger from these ports?



Hi,

I've just had a strange email from a friend who seems to have had an
email from an unsavoury character which I sent to a closed list on 20th
Dec.

I've checked my box for r00tkits (none found) and open ports and have
found 1539 and 5335 open. A web search hasn't revealed very much on
these and they seem innocent enough (well, 5335 has been used for a
virus before now...)

There are few things in my logs which are suspicious...

First are a couple like this

Jan  1 22:18:35 T7 sshd[31409]: Invalid user test
from ::ffff:70.56.41.21
Jan  1 22:18:36 T7 sshd[31409]: Address 70.56.41.21 maps to prox.wares-
consulting.com, but this does not map back to the address - POSSIBLE
BREAKIN ATTEMPT!

I seem to be subjected to a dictionary attack.

I get users named guest, admin, test, patrick, rolo, iceuser, horde,
cyrus, www, wwwrun, matt, jane, pamela, cosmin, cip52, cip51, noc,
webmaster, user and no username etc.

Most of the attacks come from three IP addresses (83.235.214.145,
66.78.52.253 and 216.180.243.178) using various ports to get through via
ssh2. None have gotten through.

Should I be overly worried? I've closed ssh on my router, so that's one
line of defence in the way :-)

TTFN

Paul
-- 
"He's not the Messiah, he's a very naughty boy!"
- Life of Brian, Monty Python

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]