To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
On 10/6/07, James Pleger <[EMAIL PROTECTED]> wrote:
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> ----------
> This looks like standard ftp bruteforcing...
>
> Typical targets of this attacks are MS FTP Servers, they will target
> the administrator account, so they can get that account password, and
> then upload files and execute them, or otherwise compromise the box.
>
> I have seen this activity for many years, and more likely than not
> isn't a targeted attack.
>
> On 10/6/07, Peter Dambier <[EMAIL PROTECTED]> wrote:
> > To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> > ----------
> > Good morning,
> >
> > I have put the logs from my mailer and ftp-server
> > together with my router and VoIP:
> >
> > Oct 5 12:09:34 voipd[406]: query_local_ipaddress: 62.227.220.143
> >
> > netdate("Oct-5","23:38:06","time3 +0.234 Fri Oct 5
> > 23:38:03.000").
> > xinetd_open("Oct-6","00:31:58","ftp","203.112.196.130").
> > ftp_connect("Oct-6","00:32:02","203.112.196.130").
> > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > user [Administrator]","Oct-6","00:32:03").
> > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
> > failures","Oct-6","00:33:00").
> > xinetd_close("Oct-6","00:33:00","ftp").
> > xinetd_open("Oct-6","00:33:00","ftp","203.112.196.130").
> > ftp_connect("Oct-6","00:33:01","203.112.196.130").
> > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > user [Administrator]","Oct-6","00:33:02").
> > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > user [Administrator]","Oct-6","00:33:06").
> > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > user [Administrator]","Oct-6","00:33:13").
> > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
> > failures","Oct-6","00:33:53").
> > xinetd_close("Oct-6","00:33:53","ftp").
> > xinetd_open("Oct-6","00:33:54","ftp","203.112.196.130").
> > ...
> > xinetd_close("Oct-6","03:06:22","ftp").
> > xinetd_open("Oct-6","03:06:23","ftp","203.112.196.130").
> > ftp_connect("Oct-6","03:06:33","203.112.196.130").
> > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > user [Administrator]","Oct-6","03:06:34").
> > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > user [Administrator]","Oct-6","03:07:20").
> > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
> > failures","Oct-6","03:07:36").
> > xinetd_close("Oct-6","03:07:36","ftp").
> >
> >
> > Oct 6 03:08:22 dsld[381]: EVENT(80): Die Internetverbindung wird kurz
> > unterbrochen, um der Zwangstrennung durch den Anbieter zuvorzukommen.
> > Oct 6 03:08:23 dsld[381]: Channel 0 closed (physical)
> > Oct 6 03:08:23 dsld[381]: internet: disconnected
> > Oct 6 03:08:23 dsld[381]: EVENT(23): Internetverbindung wurde getrennt.
> > Oct 6 03:08:24 multid[360]: ONLINE: now offline
> > Oct 6 03:08:24 voipd[406]: connstatus 5 -> 3
> > Oct 6 03:08:24 dsld[381]: internet: connecting
> > Oct 6 03:08:24 dsld[381]: internet: 00:04:0e:6d:8a:43
> > Oct 6 03:08:24 dsld[381]: internet: 00:04:0e:6d:8a:43
> > Oct 6 03:08:24 dsld[381]: PPP led: off (value=0)
> > Oct 6 03:08:24 dsld[381]: Channel 0 up (physical outgoing)
> > Oct 6 03:08:25 voipd[406]: connstatus 3 -> 4
> > Oct 6 03:08:25 dsld[381]: internet: set_snd_ipaddr: 62.227.245.7
> > Oct 6 03:08:25 dsld[381]: internet: connected
> > Oct 6 03:08:25 dsld[381]: PPP led: on (value=1)
> > Oct 6 03:08:25 dsld[381]: EVENT(22): Internetverbindung wurde erfolgreich
> > hergestellt. IP-Adresse: 62.227.245.7, DNS-Server: 217.237.150.51 und
> > 217.237.148.22, Gateway: 217.0.116.228
> > Oct 6 03:08:26 multid[360]: DDNS: echnaton.serveftp.com: checking ip
> > address
> > Oct 6 03:08:26 multid[360]: dns: echnaton.serveftp.com: query
> > Oct 6 03:08:26 multid[360]: ONLINE: now online 62.227.245.7
> > Oct 6 03:08:26 voipd[406]: connstatus 4 -> 5
> >
> >
> > netdate("Oct-6","03:38:05","time3 +0.290 Sat Oct 6
> > 03:38:02.000").
> > netdate("Oct-6","04:38:04","time3 -0.754 Sat Oct 6
> > 04:38:01.000").
> > xinetd_open("Oct-6","04:47:21","ftp","203.112.196.130").
> > ftp_connect("Oct-6","04:47:22","203.112.196.130").
> > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > user [Administrator]","Oct-6","04:47:22").
> > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > user [Administrator]","Oct-6","04:48:10").
> > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
> > failures","Oct-6","04:48:28").
> > xinetd_close("Oct-6","04:48:28","ftp").
> > xinetd_open("Oct-6","04:48:31","ftp","203.112.196.130").
> > ...
> > xinetd_close("Oct-6","04:56:37","ftp").
> > xinetd_open("Oct-6","04:56:41","ftp","203.112.196.130").
> > ftp_connect("Oct-6","04:56:45","203.112.196.130").
> > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > user [Administrator]","Oct-6","04:56:46").
> > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
> > failures","Oct-6","04:57:40").
> > xinetd_close("Oct-6","04:57:40","ftp").
> > netdate("Oct-6","05:38:05","time3 +0.251 Sat Oct 6
> > 05:38:02.000").
> >
> >
> > Interestingly enough the attack survived a DSL disconnect
> > and reconnect with changed IPv4 address.
> >
> > The hole of 90 minutes suggests they did not follow me via DNS or SIP.
> >
> > they only tried user [Administrator].
> >
> > nmap says they have no ports open. I did not try the complicated things :)
> >
> >
> > Nothing suspicious in the exim (mailer) log.
> > No other addresses seen.
> >
> > Kind regards
> > Peter and Karin
> >
> > --
> > Peter and Karin Dambier
> > Cesidian Root - Radice Cesidiana
> > Rimbacher Strasse 16
> > D-69509 Moerlenbach-Bonsweiher
> > +49(6209)795-816 (Telekom)
> > +49(6252)750-308 (VoIP: sipgate.de)
> > mail: [EMAIL PROTECTED]
> > mail: [EMAIL PROTECTED]
> > http://iason.site.voila.fr/
> > https://sourceforge.net/projects/iason/
> > http://www.cesidianroot.com/
> >
I think there is probably some truth in the middle of both of your posts.
I have an FTP server at work and at home, and I read the logs pretty
regularly. I see automated scans daily, all using dictionary attacks,
with very similar patterns, enough to suggest that although they are
"only" brute force, they could certainly be automated from a bot
source. All use the exact same dictionary, and are from such disparate
IP sources the theory is an interesting one. They could also be from
an obvious single source, a hacker brute force IP scanning utility,
but since I dont use such things Im not certain.
some examples:
193.34.150.54 Administrator abc123 Bad username and/or password
193.34.150.54 Administrator password Bad username and/or password
193.34.150.54 Administrator passwd Bad username and/or password
host-193-34-150-54.vlan8.argeweb.nl. (netherlands)
60.191.20.228 Administrator abc123 Bad username and/or password
60.191.20.228 Administrator password Bad username and/or password
60.191.20.228 Administrator passwd Bad username and/or password
ns.zjnbptt.net.cn Hangzhou, Zhejiang (China)
221.2.236.42 Administrator abc123 Bad username and/or password
221.2.236.42 Administrator password Bad username and/or password
221.2.236.42 Administrator passwd Bad username and/or password
Also China, but Dongying, Hebei
202.82.18.193 Administrator abc123 Bad username and/or password
202.82.18.193 Administrator password Bad username and/or password
202.82.18.193 Administrator passwd Bad username and/or password
Hong Kong
212.123.8.83 Administrator abc123 Bad username and/or password
212.123.8.83 Administrator password Bad username and/or password
212.123.8.83 Administrator passwd Bad username and/or password
Belgium
I found the origin of the dictionary file they are using simply
because almost all of them start trying passwords with the text from
the dictionary source (laziness?)
as you see here:
140.112.101.41 Administrator been Bad username and/or password
140.112.101.41 Administrator compiled Bad username and/or password
140.112.101.41 Administrator by Bad username and/or password
140.112.101.41 Administrator Solar Bad username and/or password
140.112.101.41 Administrator Designer Bad username and/or password
140.112.101.41 Administrator of
Solar Designer wrote "john the ripper" the password cracker, which of
course comes with a dictionary.
dvsjr
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
