Hacker activity?

[Vulpes Velox]

On Thu, 28 Oct 2004 10:39:32 -0600
Steve Suhre <steve at Antero.com> wrote:

> 
> 
> I'm not sure if this is the correct group...but I'm getting some
> weird activity on the network. The security reports will show 50-100
> attempts to login to a server, most as root but some are attempts to
> login to other seemingly random account names. The login attempts
> are through ssh or telnet, all come from the same remote server, and
> all fail. I'm also getting some odd cgi calls to a script on a
> secure ssl server. There's nothing that this particular script could
> do for a hacker, but the script is sent a random string, sometimes
> many times a minute, other times it's every 2 -3 minutes. I grabbed
> the ip address and blocked it, and about 10 minutes later it had
> moved to another ip. I'm now blocking a range of ip's. These don't
> seem like enough iterations to be very successful, the odds are
> overwhelmingly in favor of the server at this rate... Does anyone
> have a clue what might be happening or where I should go to find
> out?

If it all from a common subnet, I would block it. I would then whois
to see who if there is a abuse addy I could complain to or the like.

Also man login.conf.

Sounds like some jerk singled you out is is possibly is trying it all
on a subnet. Back in before moving stuff off common ports, I would get
massive amounts of that crap. It was basically ppl trying any thing in
the colleges address space.