Anon E. Muss wrote:
> On Fri, 19 Sep 2008 09:56:24 -0500, Allen Kistler
> <ackistler@oohay.moc> wrote:
>
>> Anon E. Muss wrote:
>>> I recently noticed excessive acitivity on my router's activity LED and
>>> did a little investigating. As immediate action, I used a big hammer
>>> and firewalled off 218/8 until I can figure out what is going on here.
>>> Yesterday, it was 201/8.
>>>
>>> Below is most of output of netstat. Can someone let me know what is
>>> going on here? SynFlood?? Also, any suggestions??
>>>
>>> ===== BEGIN =====
>>> Active Internet connections (w/o servers)
>>> Proto Recv-Q Send-Q Local Address Foreign Address State
>>>
>>> [snip]
>> Welcome to the Internet. It's been here for a while. Where have you been?
>
> Been here a while.
>
>> If you have services offered to the world, lots of people are going to
>> try to break in. If you have ssh turned on with guessable usernames
>> (like, you know, root, ftp, httpd, or bin) and authentication using only
>> password enabled, eventually someone is going to guess your lame password.
>
> Not *my* password.
>
> I will go through the users and find out who used a lame-o password.
>
> Thanks for the help.

Ahh. You misunderstand: a lot of that is script kiddies, attacking your
services, and guessing good password's like Governor Palin's zipcode for her
login password on Yahoo. (Follow her adventures with Wikileaks if you're curious.)