On Sat, Feb 14, 2009 at 11:55:13PM +0100, Julien Claassen wrote:
> 8226 ? Ss 0:00 sshd: unknown [priv]
> 8227 ? S 0:00 sshd: unknown [net]
> Just before that I only saw "sshd [accept]" and "sshd [net]".
> Shutdown sshd and made new password and restarted sshd. Now it's the same.
> Can I easily check where it's coming from and what it's doing. I don't see
> anything besides those two lines. No other strange processes.
Someone is trying a ssh login - usually from the former
east block - and probably trying a list of user names
and passwords. Do (as root) tail -50 /var/log/secure
to see the show.
It happens here all the time. As long as you don't have
any easily guessed user/passwd combinations the danger
is limited, and closing your network connection for a
minute usually makes them go away. Configuring sshd to
allow only dsa authentication is better of course.
Last summer I watched one of them and whois told me
this was coming from a Canadian university. Called
their security, and it turned out this was a 'live'
user (very often its done by malware doing its job
without the system owner being aware) That one won't
try it again I guess...
Ciao,
-- FA Laboratorio di Acustica ed Elettroacustica Parma, Italia O tu, che porte, correndo si ? E guerra e morte ! _______________________________________________ Linux-audio-dev mailing list Linux-audio-dev@email-addr-hidden http://lists.linuxaudio.org/mailman/listinfo/linux-audio-devReceived on Sun Feb 15 04:15:02 2009
This archive was generated by hypermail 2.1.8 : Sun Feb 15 2009 - 04:15:02 EET