To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Hi,
since
xinetd_open("Apr-3","02:02:27","ftp","211.99.156.152").
ftp_connect("Apr-3","02:03:09","211.99.156.152").
ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
[Administrator]","Apr-3","02:03:11").
ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
[Administrator]","Apr-3","02:03:47").
ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
failures","Apr-3","02:04:05").
xinetd_close("Apr-3","02:04:05","ftp").
xinetd_open("Apr-3","15:14:20","ftp","213.61.14.86").
ftp_connect("Apr-3","15:14:22","www.bscreen.de").
ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
[Administrator]","Apr-3","15:14:23").
ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
failures","Apr-3","15:15:14").
xinetd_close("Apr-3","15:15:14","ftp").
I have seen a mounting number of nocks at my ftp door.
I tried to reach the later system but their mailer could not deliver:
"<[EMAIL PROTECTED]>: mail for mail.bscreen.de loops back to myself"
Most of them come from dynamic addresses.
User "[EMAIL PROTECTED]" suggests a windows on the attacking machine.
Only user [Administrator] on the target system suggests they are looking
for a windows system.
Normally "visitors" go away before my inetd has started in.ftpd. So at least
they have changed behaviour.
Recent visits last for hours
xinetd_open("Apr-6","20:33:53","ftp","91.121.10.168").
ftp_connect("Apr-6","20:33:55","ns23102.ovh.net").
ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
[Administrator]","Apr-6","20:33:56").
ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
[Administrator]","Apr-6","20:34:32").
ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
failures","Apr-6","20:34:48").
xinetd_close("Apr-6","20:34:49","ftp").
...
xinetd_open("Apr-6","23:32:39","ftp","91.121.10.168").
ftp_connect("Apr-6","23:32:39","ns23102.ovh.net").
ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
[Administrator]","Apr-6","23:32:39").
ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
failures","Apr-6","23:33:33").
xinetd_close("Apr-6","23:33:33","ftp").
This one is still going on.
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on ns23102.ovh.net (91.121.10.168):
(The 1589 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
143/tcp open imap2
445/tcp filtered microsoft-ds
465/tcp open smtps
5432/tcp open postgres
10000/tcp open snet-sensor-mgmt
Nmap run completed -- 1 IP address (1 host up) scanned in 58 seconds
DNS seems to be working, returns the real root-servers.
ftp, ssh, smtp do not answer.
http wants to see username and password.
Kind regards
Peter and Karin Dambier
--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: [EMAIL PROTECTED]
mail: [EMAIL PROTECTED]
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
http://www.cesidianroot.com/
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
