So first I would SSH into my box and grep through the logs for failed login attempts.
grep -i failed /var/log/auth.log | less
First I took just one IP from my logs, and Nmap'd it (well they started it!). I found a single SSH port open running a vulnerable version of OpenSSH.
nmap -F 199.33.132.127 -PN
Okay, so using nmap fast scan (looking for the most common ports) I see that port 22 is open.
Now I used a really great website called clez.net to look at the port in more detail.
This site gives me the SSH version and plenty of other intresting info.
So now if I google the SSH version I quickly find that it's an old vulnerable version (OpenSSH 3.9p1).
So it would seem that some poor sucker has got his box owned and now he is scanning my box.
So that's it really. I just wanted to demonstrate to anyone who might read this why it is important to patch.
