Any danger from these ports?

[Paul]

Hi,

I've just had a strange email from a friend who seems to have had an
email from an unsavoury character which I sent to a closed list on 20th
Dec.

I've checked my box for r00tkits (none found) and open ports and have
found 1539 and 5335 open. A web search hasn't revealed very much on
these and they seem innocent enough (well, 5335 has been used for a
virus before now...)

There are few things in my logs which are suspicious...

First are a couple like this

Jan  1 22:18:35 T7 sshd[31409]: Invalid user test
from ::ffff:70.56.41.21
Jan  1 22:18:36 T7 sshd[31409]: Address 70.56.41.21 maps to prox.wares-
consulting.com, but this does not map back to the address - POSSIBLE
BREAKIN ATTEMPT!

I seem to be subjected to a dictionary attack.

I get users named guest, admin, test, patrick, rolo, iceuser, horde,
cyrus, www, wwwrun, matt, jane, pamela, cosmin, cip52, cip51, noc,
webmaster, user and no username etc.

Most of the attacks come from three IP addresses (83.235.214.145,
66.78.52.253 and 216.180.243.178) using various ports to get through via
ssh2. None have gotten through.

Should I be overly worried? I've closed ssh on my router, so that's one
line of defence in the way :-)

TTFN

Paul
-- 
"He's not the Messiah, he's a very naughty boy!"
- Life of Brian, Monty Python
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/test/attachments/20050108/4717ce08/attachment.bin