[TriLUG] list newbie has stuff to give away (gmail type stuff)

Mike Johnson mike at enoch.org
Tue Aug 24 11:26:34 EDT 2004


James Lloyd Beidler [james at layyze.com] wrote:
>   Point well taken (BTW, I also have RR).  On second inspection I noticed
> that I only got repeat IPs once or twice.  Also, a whois tells me that
> they are coming from China, Korea, Nicaragua, and Brazil (except for the
> repeats, which all came from Shaw cable customers).  The methodical
> request for the same 5 or so usernames makes me think that this is the
> work of some script.  I should update my offer to say that anyone that
> has any good ideas on how to deal with this can get the gmail invite (if
> you want it).

My advice is to simply ignore it.  It's not worth the time and effort to
code up something that will likely false positive on you.  Here's some
information on what you're seeing:
http://isc.sans.org/diary.php?date=2004-08-22
And read the messages tiltled "SSH Scanner?" on this page:
http://lists.sans.org/pipermail/list/2004-July/thread.html

Like I said, ignore it.  If you don't have those accounts and your
version of openssh is reasonably up to date, you're fine.  You should,
however, attempt to notify the ISPs from which the attacks originate.
You likely won't hear anything back from the overseas attacks, but I
wouldn't be surprised if Shaw pulled the plug on that one IP.

Mike, already gmail'd
-- 
"Spare me your space-age technobabble Atilla The Hun!" --  Zapp Brannigan

GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc




More information about the TriLUG mailing list