To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- On 10/6/07, James Pleger <[EMAIL PROTECTED]> wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > This looks like standard ftp bruteforcing... > > Typical targets of this attacks are MS FTP Servers, they will target > the administrator account, so they can get that account password, and > then upload files and execute them, or otherwise compromise the box. > > I have seen this activity for many years, and more likely than not > isn't a targeted attack. > > On 10/6/07, Peter Dambier <[EMAIL PROTECTED]> wrote: > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > > ---------- > > Good morning, > > > > I have put the logs from my mailer and ftp-server > > together with my router and VoIP: > > > > Oct 5 12:09:34 voipd[406]: query_local_ipaddress: 62.227.220.143 > > > > netdate("Oct-5","23:38:06","time3 +0.234 Fri Oct 5 > > 23:38:03.000"). > > xinetd_open("Oct-6","00:31:58","ftp","203.112.196.130"). > > ftp_connect("Oct-6","00:32:02","203.112.196.130"). > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for > > user [Administrator]","Oct-6","00:32:03"). > > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication > > failures","Oct-6","00:33:00"). > > xinetd_close("Oct-6","00:33:00","ftp"). > > xinetd_open("Oct-6","00:33:00","ftp","203.112.196.130"). > > ftp_connect("Oct-6","00:33:01","203.112.196.130"). > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for > > user [Administrator]","Oct-6","00:33:02"). > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for > > user [Administrator]","Oct-6","00:33:06"). > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for > > user [Administrator]","Oct-6","00:33:13"). > > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication > > failures","Oct-6","00:33:53"). > > xinetd_close("Oct-6","00:33:53","ftp"). > > xinetd_open("Oct-6","00:33:54","ftp","203.112.196.130"). > > ... > > xinetd_close("Oct-6","03:06:22","ftp"). > > xinetd_open("Oct-6","03:06:23","ftp","203.112.196.130"). > > ftp_connect("Oct-6","03:06:33","203.112.196.130"). > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for > > user [Administrator]","Oct-6","03:06:34"). > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for > > user [Administrator]","Oct-6","03:07:20"). > > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication > > failures","Oct-6","03:07:36"). > > xinetd_close("Oct-6","03:07:36","ftp"). > > > > > > Oct 6 03:08:22 dsld[381]: EVENT(80): Die Internetverbindung wird kurz > > unterbrochen, um der Zwangstrennung durch den Anbieter zuvorzukommen. > > Oct 6 03:08:23 dsld[381]: Channel 0 closed (physical) > > Oct 6 03:08:23 dsld[381]: internet: disconnected > > Oct 6 03:08:23 dsld[381]: EVENT(23): Internetverbindung wurde getrennt. > > Oct 6 03:08:24 multid[360]: ONLINE: now offline > > Oct 6 03:08:24 voipd[406]: connstatus 5 -> 3 > > Oct 6 03:08:24 dsld[381]: internet: connecting > > Oct 6 03:08:24 dsld[381]: internet: 00:04:0e:6d:8a:43 > > Oct 6 03:08:24 dsld[381]: internet: 00:04:0e:6d:8a:43 > > Oct 6 03:08:24 dsld[381]: PPP led: off (value=0) > > Oct 6 03:08:24 dsld[381]: Channel 0 up (physical outgoing) > > Oct 6 03:08:25 voipd[406]: connstatus 3 -> 4 > > Oct 6 03:08:25 dsld[381]: internet: set_snd_ipaddr: 62.227.245.7 > > Oct 6 03:08:25 dsld[381]: internet: connected > > Oct 6 03:08:25 dsld[381]: PPP led: on (value=1) > > Oct 6 03:08:25 dsld[381]: EVENT(22): Internetverbindung wurde erfolgreich > > hergestellt. IP-Adresse: 62.227.245.7, DNS-Server: 217.237.150.51 und > > 217.237.148.22, Gateway: 217.0.116.228 > > Oct 6 03:08:26 multid[360]: DDNS: echnaton.serveftp.com: checking ip > > address > > Oct 6 03:08:26 multid[360]: dns: echnaton.serveftp.com: query > > Oct 6 03:08:26 multid[360]: ONLINE: now online 62.227.245.7 > > Oct 6 03:08:26 voipd[406]: connstatus 4 -> 5 > > > > > > netdate("Oct-6","03:38:05","time3 +0.290 Sat Oct 6 > > 03:38:02.000"). > > netdate("Oct-6","04:38:04","time3 -0.754 Sat Oct 6 > > 04:38:01.000"). > > xinetd_open("Oct-6","04:47:21","ftp","203.112.196.130"). > > ftp_connect("Oct-6","04:47:22","203.112.196.130"). > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for > > user [Administrator]","Oct-6","04:47:22"). > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for > > user [Administrator]","Oct-6","04:48:10"). > > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication > > failures","Oct-6","04:48:28"). > > xinetd_close("Oct-6","04:48:28","ftp"). > > xinetd_open("Oct-6","04:48:31","ftp","203.112.196.130"). > > ... > > xinetd_close("Oct-6","04:56:37","ftp"). > > xinetd_open("Oct-6","04:56:41","ftp","203.112.196.130"). > > ftp_connect("Oct-6","04:56:45","203.112.196.130"). > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for > > user [Administrator]","Oct-6","04:56:46"). > > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication > > failures","Oct-6","04:57:40"). > > xinetd_close("Oct-6","04:57:40","ftp"). > > netdate("Oct-6","05:38:05","time3 +0.251 Sat Oct 6 > > 05:38:02.000"). > > > > > > Interestingly enough the attack survived a DSL disconnect > > and reconnect with changed IPv4 address. > > > > The hole of 90 minutes suggests they did not follow me via DNS or SIP. > > > > they only tried user [Administrator]. > > > > nmap says they have no ports open. I did not try the complicated things :) > > > > > > Nothing suspicious in the exim (mailer) log. > > No other addresses seen. > > > > Kind regards > > Peter and Karin > > > > -- > > Peter and Karin Dambier > > Cesidian Root - Radice Cesidiana > > Rimbacher Strasse 16 > > D-69509 Moerlenbach-Bonsweiher > > +49(6209)795-816 (Telekom) > > +49(6252)750-308 (VoIP: sipgate.de) > > mail: [EMAIL PROTECTED] > > mail: [EMAIL PROTECTED] > > http://iason.site.voila.fr/ > > https://sourceforge.net/projects/iason/ > > http://www.cesidianroot.com/ > >
I think there is probably some truth in the middle of both of your posts. I have an FTP server at work and at home, and I read the logs pretty regularly. I see automated scans daily, all using dictionary attacks, with very similar patterns, enough to suggest that although they are "only" brute force, they could certainly be automated from a bot source. All use the exact same dictionary, and are from such disparate IP sources the theory is an interesting one. They could also be from an obvious single source, a hacker brute force IP scanning utility, but since I dont use such things Im not certain. some examples: 193.34.150.54 Administrator abc123 Bad username and/or password 193.34.150.54 Administrator password Bad username and/or password 193.34.150.54 Administrator passwd Bad username and/or password host-193-34-150-54.vlan8.argeweb.nl. (netherlands) 60.191.20.228 Administrator abc123 Bad username and/or password 60.191.20.228 Administrator password Bad username and/or password 60.191.20.228 Administrator passwd Bad username and/or password ns.zjnbptt.net.cn Hangzhou, Zhejiang (China) 221.2.236.42 Administrator abc123 Bad username and/or password 221.2.236.42 Administrator password Bad username and/or password 221.2.236.42 Administrator passwd Bad username and/or password Also China, but Dongying, Hebei 202.82.18.193 Administrator abc123 Bad username and/or password 202.82.18.193 Administrator password Bad username and/or password 202.82.18.193 Administrator passwd Bad username and/or password Hong Kong 212.123.8.83 Administrator abc123 Bad username and/or password 212.123.8.83 Administrator password Bad username and/or password 212.123.8.83 Administrator passwd Bad username and/or password Belgium I found the origin of the dictionary file they are using simply because almost all of them start trying passwords with the text from the dictionary source (laziness?) as you see here: 140.112.101.41 Administrator been Bad username and/or password 140.112.101.41 Administrator compiled Bad username and/or password 140.112.101.41 Administrator by Bad username and/or password 140.112.101.41 Administrator Solar Bad username and/or password 140.112.101.41 Administrator Designer Bad username and/or password 140.112.101.41 Administrator of Solar Designer wrote "john the ripper" the password cracker, which of course comes with a dictionary. dvsjr _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets