I had nearly the same problem. What i did was to set up snort + guardian. Snort detects root.exe and cmd.exe (together with lots of other things you dont want in your wire). Guardian stops access from that computer for a number of seconds (you deside yourself how log). Was pretty easy to set up and use. Put Demarc on top - and you got yourself a nice IDS.
-- Victor > Hi gurus > one of my apache servers is being bombarded by some IPs (in different > ranges) trying for a root.exe or cmd.exe. etc. > luckily im on redhat 71. linux. > but the tries frequency is every second from some ip or another. > im running portsentry but portesntry does not log port 80 > how do i block them from permanently accessing my server. > BTW ive put that IPs in my /etc/hosts.deny still no joy. > > thanks > durga prasad > > >
