Hello All- I've got a problem here with 3 complaints from our school's internet provider. All of them have been brute force attacks to other systems in the world... Here is a clip from one log sent to me: Tag Name Status Severity Event Count Source Count Target Count Object Count Earliest Event Latest Event SSH_Brute_Force Attack failure (blocked by Proventia appliance) High 128198 1 18723 1 2007-05-03 06:00:00 PDT 2007-05-04 09:00:00 PDT HTTP_IIS_Unicode_Wide_Encoding Detected attack (vuln not scanned recently) High 50 1 20 1 2007-05-01 08:00:00 PDT 2007-05-03 14:00:00 PDT SSH_ChallengeResponse_Bo Attack failure (blocked by Proventia appliance) High 5 1 5 1 2007-05-03 22:00:00 PDT 2007-05-04 08:00:00 PDT HTTP_cookieOverflow Detected attack (vuln not scanned recently) High 2 1 1 1 2007-05-02 14:00:00 PDT 2007-05-02 14:00:00 PDT SSH_Vulnerable_OpenSSH Detected event Medium 7067 1 235 1 2007-05-03 06:00:00 PDT 2007-05-04 08:00:00 PDT HTTP_IIS_Double_Eval_Evasion Detected event Medium 112 1 20 1 2007-05-01 08:00:00 PDT 2007-05-04 09:00:00 PDT HTTP_IIS_Percent_Evasion Detected event Medium 46 1 18 1 2007-05-01 08:00:00 PDT 2007-05-04 09:00:00 PDT HTTP_Proxy_Cache_Poisoning Attack failure (blocked by Proventia appliance) Medium 39 1 15 1 2007-05-01 08:00:00 PDT 2007-05-04 08:00:00 PDT Here is a clip from the first log sent to me: SSH_Brute_Force | 15690 | 2007-05-03 05:17:37 | 2007-05-03 10:43:27 | | TCP_Service_Sweep | 471 | 2007-05-03 05:18:10 | 2007-05-03 11:50:14 | | HTTP_Proxy_Cache_Poisoning | 5 | 2007-05-02 12:42:36 | 2007-05-03 11:39:10 | +-----------------------------------+--------------+----------------------+----------------------+ Top 20 Events for SSH_Brute_Force Total Count 15690 +-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+ + Source Address + Dest Address + SPort + DPort + Count + Min Time(PST) + Max Time(PST) + +-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+ | <a href="http://142.26.181.80/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">142.26.181.80</a> | <a href="http://66.221.9.56/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 66.221.9.56</a> | 0 | 22 | 447 | 2007-05-03 05:28:08 | 2007-05-03 06:16:10 | | <a href="http://142.26.181.80/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">142.26.181.80</a> | <a href="http://66.221.95.3/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 66.221.95.3</a> | 0 | 22 | 421 | 2007-05-03 05:37:05 | 2007-05-03 06:27:41 | | <a href="http://142.26.181.80/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">142.26.181.80</a> | <a href="http://66.221.94.120/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 66.221.94.120</a> | 0 | 22 | 403 | 2007-05-03 05:41:28 | 2007-05-03 06:29:37 | | <a href="http://142.26.181.80/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">142.26.181.80</a> | <a href="http://66.221.95.148/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 66.221.95.148</a> | 0 | 22 | 364 | 2007-05-03 05:29:36 | 2007-05-03 06:28:44 | | <a href="http://142.26.181.80/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">142.26.181.80</a> | <a href="http://66.221.91.216/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 66.221.91.216</a> | 0 | 22 | 325 | 2007-05-03 05:36:06 | 2007-05-03 06:06:58 | | <a href="http://142.26.181.80/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">142.26.181.80</a> | <a href="http://66.221.91.169/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 66.221.91.169</a> | 0 | 22 | 302 | 2007-05-03 05:41:13 | 2007-05-03 06:29:07 | | <a href="http://142.26.181.80/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">142.26.181.80</a> | <a href="http://66.221.91.190/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 66.221.91.190</a> | 0 | 22 | 284 | 2007-05-03 05:28:54 | 2007-05-03 06:04:53 | | <a href="http://142.26.181.80/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">142.26.181.80</a> | <a href="http://66.221.90.87/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 66.221.90.87</a> | 0 | 22 | 258 | 2007-05-03 05:44:23 | 2007-05-03 06:15:11 | | <a href="http://142.26.181.80/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">142.26.181.80</a> | <a href="http://66.221.90.180/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 66.221.90.180</a> | 0 | 22 | 202 | 2007-05-03 05:33:38 | 2007-05-03 05:51:53 | | <a href="http://142.26.181.80/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">142.26.181.80</a> | <a href="http://66.221.92.31/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 66.221.92.31</a> | 0 | 22 | 181 | 2007-05-03 05:30:57 | 2007-05-03 06:09:46 | | <a href="http://142.26.181.80/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">142.26.181.80</a> | <a href="http://66.221.95.24/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 66.221.95.24</a> | 0 | 22 | 180 | 2007-05-03 05:42:34 | 2007-05-03 06:05:13 | | <a href="http://142.26.181.80/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">142.26.181.80</a> | <a href="http://66.221.91.186/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 66.221.91.186</a> | 0 | 22 | 179 | 2007-05-03 06:04:53 | 2007-05-03 06:28:27 | | <a href="http://142.26.181.80/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">142.26.181.80</a> | <a href="http://66.221.94.240/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 66.221.94.240</a> | 0 | 22 | 175 | 2007-05-03 05:42:45 | 2007-05-03 06:11:20 | | <a href="http://142.26.181.80/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">142.26.181.80</a> | <a href="http://66.221.84.109/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 66.221.84.109</a> | 0 | 22 | 163 | 2007-05-03 05:28:01 | 2007-05-03 06:11:30 | | <a href="http://142.26.181.80/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">142.26.181.80</a> | <a href="http://66.221.87.194/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 66.221.87.194</a> | 0 | 22 | 139 | 2007-05-03 05:46:59 | 2007-05-03 06:09:38 | | <a href="http://142.26.181.80/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">142.26.181.80</a> | <a href="http://66.221.91.218/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 66.221.91.218</a> | 0 | 22 | 137 | 2007-05-03 05:33:31 | 2007-05-03 06:01:05 | | <a href="http://142.26.181.80/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">142.26.181.80</a> | <a href="http://66.221.92.112/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 66.221.92.112</a> | 0 | 22 | 136 | 2007-05-03 05:27:47 | 2007-05-03 06:06:57 | | <a href="http://142.26.181.80/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">142.26.181.80</a> | <a href="http://66.221.89.69/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 66.221.89.69</a> | 0 | 22 | 134 | 2007-05-03 05:30:01 | 2007-05-03 06:07:31 | | <a href="http://142.26.181.80/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">142.26.181.80</a> | <a href="http://66.221.95.97/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 66.221.95.97</a> | 0 | 22 | 127 | 2007-05-03 05:45:18 | 2007-05-03 05:59:54 | | <a href="http://142.26.181.80/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">142.26.181.80</a> | <a href="http://66.221.94.204/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> 66.221.94.204</a> | 0 | 22 | 125 | 2007-05-03 05:40:19 | 2007-05-03 05:53:41 | +-------------------+--------------------+----------+----------+--------------+----------------------+----------------------+ Top 20 Events for TCP_Service_Sweep Total Count 471 I found files in /dev/shm/zH and /dev/shm/.info. They don't belong and didn't have root access?? Standard user access belonging to username 'josh'... I didn't think /dev was writable...??? I've cleaned it out and have had a ton of ports blocked... Any help would be welcomed. Thanks, Jim