Hallo,

Op woensdag 16 juli 2008 schreef gtu2003@alice.it aan All:


gt> In my /var/log/messages I have a lot (6000+) of:

gt> Jul 16 12:51:20 sole sshd[6669]: Invalid user clamav from

gt> what is it? I need to write to something like abuse@72.3.243.92
gt> ?

Obviously somebody is trying to force an ssh login on your machine, no
doubt with the purpose to de something nasty.
Disconnect your system from the internet immediately, at once and now
until you are ready!
I doubt if writing to abuse@72.3.243.92 will have any effect. Most
likely he is the same as the culprit.
Check your log files to see if anybody get in already.
Run a rootkit checker to see if any harm was doen. If there was any,
best format that partition and do a fresh install. Don't use your
backups, becasue you don't know if they have been infected.
Switch off you sshd server if you don't really need it.
In the /etc/hosts.deny put a line like
ALL: ALL
to stop access to all services for everybody.
Put a line in /etc/hosts.allow like
ALL: 192.168.178.0/255.255.255.0, 127.0.0.0/255.0.0.0
to allow for addresses on your local network (obviously you have to
pt your own addresses there).
Add lines to your iptables like
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -A INPUT -p udp --dport 22 -j DROP
to stop all external access to tcp and udp ports 22 (ssh).
When you're satisfied that everything is allright, connect to the
internet again.

Good luck!

Groeten,

Hans.

jdh punt beekhuizen bij duinheks punt nl