# HG changeset patch
# User Matti Hamalainen <ccr@tnsp.org>
# Date 1251398159 -10800
# Node ID 4769aad8bd14356c2e4a799c396c284cfd170b9c
# Parent  6f3d53ea42450122c9607d227b09d12de0609465
Root password bruteforcing check was not always working, fixed.

diff -r 6f3d53ea4245 -r 4769aad8bd14 maltfilter
--- a/maltfilter	Thu Aug 27 00:32:51 2009 +0300
+++ b/maltfilter	Thu Aug 27 21:35:59 2009 +0300
@@ -12,7 +12,7 @@
 use Net::DNS;
 use LWP::UserAgent;
 
-my $progversion = "0.17.1";
+my $progversion = "0.17.2";
 my $progbanner =
 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n".
 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n".
@@ -89,11 +89,11 @@
       check_add_hit($2, $mdate, "SSH login scan", "", 13, $settings{"CHK_SSHD"});
     }
     # (1.2) Root account SSH login password bruteforcing attempts.
-    elsif (/^Failed password for root from (\d+\.\d+\.\d+\.\d+)/) {
+    elsif ($merr =~ /^Failed password for root from (\d+\.\d+\.\d+\.\d+)/) {
       check_add_hit($1, $mdate, "Root SSH password bruteforce", "", 13, $settings{"CHK_ROOT_SSH_PWD"});
     }
     # (1.3) System account SSH login password bruteforcing attempts.
-    if ($merr =~ /^Failed password for (\S+) from (\d+\.\d+\.\d+\.\d+)/) {
+    elsif ($merr =~ /^Failed password for (\S+) from (\d+\.\d+\.\d+\.\d+)/) {
       my $mip = $2; my $macct = $1;
       if (defined($systemacct{$macct})) {
         check_add_hit($mip, $mdate, "SSH system account bruteforce", $macct, 13, $settings{"CHK_SYSACCT_SSH_PWD"});