You made me panic for a second there, Darren.<br>
<br>
My first thought was, "Oh damn, how do I determine if I have been compromised?"<br>
<br>
My second thought was, "Why bother, I've surely been rooted by now."<br>
<br>
My third thought was, "Wait a minute, I'm reading this on an unpatched
Win2k machine that has been up for 3 months now. Oh yeah, my
router must be doing its job." <br>
<br>
Thank God for $50 hardware firewalls, because I wouldn't bother owning
a computer if I had keep iptables and a Windows firewall up to date.<br>
<br>
That said, this was probably all an elaborate phishing attack which
succeded on getting me to admit there is a mythtv/mythtv account on my
myth box. <br><br><div><span class="gmail_quote">On 12/29/05, <b class="gmail_sendername">Darren Hart</b> <<a href="mailto:darren@dvhart.com">darren@dvhart.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I'm sure nobody here is dumb enough to do this, but since I was, thought I'd<br>pass the word.<br><br>There is an ssh attack going around with a brute force login using 2187<br>different username/password pairs, one such pair happens to be:
<br><br>mythtv:mythtv<br><br>Likle I said, I'm sure noone else but me thought that was a good idea :-) Once<br>in they must ahve found some app to exploit and get root, then it starts<br>scanning addresses - to propogate I guess. There are some indications that
<br>cupsys may have been the culprit there. Anyway, just a heads up, it manifests<br>itself with several sshf processes running (78 in my case) and lots of failed<br>login attempts in /var/log/auth.log*<br><br>--Darren<br>
_______________________________________________<br>mythtv-users mailing list<br><a href="mailto:mythtv-users@mythtv.org">mythtv-users@mythtv.org</a><br><a href="http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users">http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users
</a><br></blockquote></div><br>