Hi Max,
On Sun, Nov 10, 2013 at 09:46:35PM +0000, Max B wrote:
1443 attempts over a 5 day period, including:
264 attempts at 'postgres'
574 attempts at 'oracle'
585 at 'nagios'
15 at 'tesztuser'
from 37.187.75.221
If by "attempts", you mean SSH login tries, then: Most of my hosts
have SSH login attempts from this IP on hundreds of different user
names and that is with Fail2Ban operating. Without it I wouldn't be
surprised to see thousands or tens of thousands of attempts.
Looks very much like a typical compromised box doing SSH dictionary
attacks.
I would not consider this targeted at any individual site or host,
unless there is something else you aren't mentioning.
The registrar and hosting arrangements don't appear unusual for a
large proportion of domain names out there.
You will probably never establish whether it's someone server that's
been compromised or someone's server that was bought for nefarious
purposes, but assuming they have a special interest in you is in my
opinion going too far based on evidence provided.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting