To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Hi,
since xinetd_open("Apr-3","02:02:27","ftp","211.99.156.152"). ftp_connect("Apr-3","02:03:09","211.99.156.152"). ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator]","Apr-3","02:03:11"). ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator]","Apr-3","02:03:47"). ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication failures","Apr-3","02:04:05"). xinetd_close("Apr-3","02:04:05","ftp"). xinetd_open("Apr-3","15:14:20","ftp","213.61.14.86"). ftp_connect("Apr-3","15:14:22","www.bscreen.de"). ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator]","Apr-3","15:14:23"). ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication failures","Apr-3","15:15:14"). xinetd_close("Apr-3","15:15:14","ftp"). I have seen a mounting number of nocks at my ftp door. I tried to reach the later system but their mailer could not deliver: "<[EMAIL PROTECTED]>: mail for mail.bscreen.de loops back to myself" Most of them come from dynamic addresses. User "[EMAIL PROTECTED]" suggests a windows on the attacking machine. Only user [Administrator] on the target system suggests they are looking for a windows system. Normally "visitors" go away before my inetd has started in.ftpd. So at least they have changed behaviour. Recent visits last for hours xinetd_open("Apr-6","20:33:53","ftp","91.121.10.168"). ftp_connect("Apr-6","20:33:55","ns23102.ovh.net"). ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator]","Apr-6","20:33:56"). ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator]","Apr-6","20:34:32"). ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication failures","Apr-6","20:34:48"). xinetd_close("Apr-6","20:34:49","ftp"). ... xinetd_open("Apr-6","23:32:39","ftp","91.121.10.168"). ftp_connect("Apr-6","23:32:39","ns23102.ovh.net"). ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator]","Apr-6","23:32:39"). ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication failures","Apr-6","23:33:33"). xinetd_close("Apr-6","23:33:33","ftp"). This one is still going on. Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on ns23102.ovh.net (91.121.10.168): (The 1589 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop-3 111/tcp open sunrpc 143/tcp open imap2 445/tcp filtered microsoft-ds 465/tcp open smtps 5432/tcp open postgres 10000/tcp open snet-sensor-mgmt Nmap run completed -- 1 IP address (1 host up) scanned in 58 seconds DNS seems to be working, returns the real root-servers. ftp, ssh, smtp do not answer. http wants to see username and password. Kind regards Peter and Karin Dambier -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/ _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets