[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Constant low-level attack

Subject: Constant low-level attack
From: lou at metron.com (Lou Katz)
Date: Thu, 28 Jun 2012 13:31:56 -0700

The other day, I looked carefully at my auth.log (Xubuntu 11.04) and discovered many lines
of the form:

      Jun 28 13:13:54 localhost sshd[12654]: Bad protocol version identification '\200F\001\003\001' from 94.252.177.159

In the past day, I have recorded about 20,000 unique IP addresses used for this type of probe.
I doubt if this is a surprise to anyone - my question is twofold:

1. Does anyone want this evergrowing list of, I assume, compromised machines?
2. Is there anything useful to do with this info other than put the IP addresses into a firewall reject table? I have done
   that and do see a certain amount of repeat hits.

-=[L]=-
--

Follow-Ups:
- Constant low-level attack
  - From: tshaw at oitc.com (TR Shaw)
- Constant low-level attack
  - From: denys at visp.net.lb (Denys Fedoryshchenko)
- Constant low-level attack
  - From: rsk at gsp.org (Rich Kulawiec)

Prev by Date: technical contact at ATT Wireless
Next by Date: technical contact at ATT Wireless
Previous by thread: technical contact at ATT Wireless
Next by thread: Constant low-level attack
Index(es):
- Date
- Thread