On Wed, 21 Apr 2010 00:33:11 -0400 Steve Blackwell zephod@cfl.rr.com wrote:
I was looking at my logwatch mail and saw:
Failed logins from: 62.39.117.140 (140.117.39-62.rev.gaoland.net): 139 times 220.128.67.41: 9 times
Illegal users from: 62.39.117.140 (140.117.39-62.rev.gaoland.net): 229 times 220.128.67.41: 2 times
Received disconnect: 11: Bye Bye : 379 Time(s)
so it appears that someone was trying to break in to my machine.
I googled rev.gaoland.net (http://whois.domaintools.com/gaoland.net) and it appears to be some kind of French ISP. Is there some place to report this?
Steve
rkhunter is reporting this:
---------------------- Start Rootkit Hunter Scan ---------------------- Warning: Suspicious file types found in /dev:
/dev/shm/mono-shared-500-shared_fileshare-steve.blackwell-Linux-i686-36-12-0:data /dev/shm/mono-shared-500-shared_data-steve.blackwell-Linux-i686-312-12-0:data /dev/shm/mono.2812: data
process 2812 is tomboy so that should be OK. What are the other 2? Normal? OK to whitelist them?
Thanks, Steve