Were the majority of attempts comming from: 210.0.192.40 Thats where I seem to be getting the majority of my attempts from.
"Simon Byrnand"
writes: We've been seeing the same thing for a couple of months now. I think it was discussed on this list about a month ago.... it's either a worm or a script kiddy script (I forget which) which scans for ssh servers, looking for insecure passwords and attempting to install an irc bot...
IIRC someone set up a honeypot with username/password root/root specifically to see what would happen and they did get an IRC bot installed and possibly a rootkit as well.
cheers, Jamie -- James Riden / j.riden(a)massey.ac.nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog