I've noticed a few posts over the past week or so regarding users' servers being probed by remote ssh attempts. Coincidentally (or perhaps not so), around that time, I began getting quite a few records of such attempts to my server, at the rate of about 3 tries per IP, and about three IPs per night. Unfortunately, last night (Mon Sep 13), this attack was much more concentrated and persistent: someone from (or spoofing from) one IP (211.250.185.100) hammered my server with login attempts over a 20-minute period. The last report I got was a final, failed root password at 20:22:13 Eastern Time (GMT-5:00).
I just read this record and logged into my server, and ran "last", which gave me a blank record, saying only: wtmp begins Tue Sep 14 22:01:55 EDT 2004 ...which happened to be the exact time I just logged into my server. I'm wondering if it is a normal clean-up occurrance for the 'last' log to turn over at a certain time/date, or if this ssh-er finally got into my system and cleaned up his/her tracks? I realize the power of one who has root privelages, but what logs would they have wiped out to remain invisible, and what others might I have a possible chance of looking at to determine what happened? _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"