To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- I agree that this could be distributed... However what you may be seeing is the same group of script kiddies that are targeting you block of hosts.
I have seen that a good majority of the bruteforcers use the same exact dictionarys(much like the ssh bruteforcers), and use the exact same toolkits. I have caught like maybe 30-40 of these types of kits and they are all basically the same. Same things that I see with sql SA bruteforcing and SSH bruteforcing... Same kits used, which indicates that only a few groups are doing it. Just my 2 cents. On 10/6/07, Mr. X <[EMAIL PROTECTED]> wrote: > On 10/6/07, James Pleger <[EMAIL PROTECTED]> wrote: > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > > ---------- > > This looks like standard ftp bruteforcing... > > > > Typical targets of this attacks are MS FTP Servers, they will target > > the administrator account, so they can get that account password, and > > then upload files and execute them, or otherwise compromise the box. > > > > I have seen this activity for many years, and more likely than not > > isn't a targeted attack. > > > > On 10/6/07, Peter Dambier <[EMAIL PROTECTED]> wrote: > > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > > > ---------- > > > Good morning, > > > > > > I have put the logs from my mailer and ftp-server > > > together with my router and VoIP: > > > > > > Oct 5 12:09:34 voipd[406]: query_local_ipaddress: 62.227.220.143 > > > > > > netdate("Oct-5","23:38:06","time3 +0.234 Fri Oct 5 > > > 23:38:03.000"). > > > xinetd_open("Oct-6","00:31:58","ftp","203.112.196.130"). > > > ftp_connect("Oct-6","00:32:02","203.112.196.130"). > > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for > > > user [Administrator]","Oct-6","00:32:03"). > > > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication > > > failures","Oct-6","00:33:00"). > > > xinetd_close("Oct-6","00:33:00","ftp"). > > > xinetd_open("Oct-6","00:33:00","ftp","203.112.196.130"). > > > ftp_connect("Oct-6","00:33:01","203.112.196.130"). > > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for > > > user [Administrator]","Oct-6","00:33:02"). > > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for > > > user [Administrator]","Oct-6","00:33:06"). > > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for > > > user [Administrator]","Oct-6","00:33:13"). > > > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication > > > failures","Oct-6","00:33:53"). > > > xinetd_close("Oct-6","00:33:53","ftp"). > > > xinetd_open("Oct-6","00:33:54","ftp","203.112.196.130"). > > > ... > > > xinetd_close("Oct-6","03:06:22","ftp"). > > > xinetd_open("Oct-6","03:06:23","ftp","203.112.196.130"). > > > ftp_connect("Oct-6","03:06:33","203.112.196.130"). > > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for > > > user [Administrator]","Oct-6","03:06:34"). > > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for > > > user [Administrator]","Oct-6","03:07:20"). > > > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication > > > failures","Oct-6","03:07:36"). > > > xinetd_close("Oct-6","03:07:36","ftp"). > > > > > > > > > Oct 6 03:08:22 dsld[381]: EVENT(80): Die Internetverbindung wird kurz > > > unterbrochen, um der Zwangstrennung durch den Anbieter zuvorzukommen. > > > Oct 6 03:08:23 dsld[381]: Channel 0 closed (physical) > > > Oct 6 03:08:23 dsld[381]: internet: disconnected > > > Oct 6 03:08:23 dsld[381]: EVENT(23): Internetverbindung wurde getrennt. > > > Oct 6 03:08:24 multid[360]: ONLINE: now offline > > > Oct 6 03:08:24 voipd[406]: connstatus 5 -> 3 > > > Oct 6 03:08:24 dsld[381]: internet: connecting > > > Oct 6 03:08:24 dsld[381]: internet: 00:04:0e:6d:8a:43 > > > Oct 6 03:08:24 dsld[381]: internet: 00:04:0e:6d:8a:43 > > > Oct 6 03:08:24 dsld[381]: PPP led: off (value=0) > > > Oct 6 03:08:24 dsld[381]: Channel 0 up (physical outgoing) > > > Oct 6 03:08:25 voipd[406]: connstatus 3 -> 4 > > > Oct 6 03:08:25 dsld[381]: internet: set_snd_ipaddr: 62.227.245.7 > > > Oct 6 03:08:25 dsld[381]: internet: connected > > > Oct 6 03:08:25 dsld[381]: PPP led: on (value=1) > > > Oct 6 03:08:25 dsld[381]: EVENT(22): Internetverbindung wurde > > > erfolgreich hergestellt. IP-Adresse: 62.227.245.7, DNS-Server: > > > 217.237.150.51 und 217.237.148.22, Gateway: 217.0.116.228 > > > Oct 6 03:08:26 multid[360]: DDNS: echnaton.serveftp.com: checking ip > > > address > > > Oct 6 03:08:26 multid[360]: dns: echnaton.serveftp.com: query > > > Oct 6 03:08:26 multid[360]: ONLINE: now online 62.227.245.7 > > > Oct 6 03:08:26 voipd[406]: connstatus 4 -> 5 > > > > > > > > > netdate("Oct-6","03:38:05","time3 +0.290 Sat Oct 6 > > > 03:38:02.000"). > > > netdate("Oct-6","04:38:04","time3 -0.754 Sat Oct 6 > > > 04:38:01.000"). > > > xinetd_open("Oct-6","04:47:21","ftp","203.112.196.130"). > > > ftp_connect("Oct-6","04:47:22","203.112.196.130"). > > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for > > > user [Administrator]","Oct-6","04:47:22"). > > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for > > > user [Administrator]","Oct-6","04:48:10"). > > > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication > > > failures","Oct-6","04:48:28"). > > > xinetd_close("Oct-6","04:48:28","ftp"). > > > xinetd_open("Oct-6","04:48:31","ftp","203.112.196.130"). > > > ... > > > xinetd_close("Oct-6","04:56:37","ftp"). > > > xinetd_open("Oct-6","04:56:41","ftp","203.112.196.130"). > > > ftp_connect("Oct-6","04:56:45","203.112.196.130"). > > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for > > > user [Administrator]","Oct-6","04:56:46"). > > > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication > > > failures","Oct-6","04:57:40"). > > > xinetd_close("Oct-6","04:57:40","ftp"). > > > netdate("Oct-6","05:38:05","time3 +0.251 Sat Oct 6 > > > 05:38:02.000"). > > > > > > > > > Interestingly enough the attack survived a DSL disconnect > > > and reconnect with changed IPv4 address. > > > > > > The hole of 90 minutes suggests they did not follow me via DNS or SIP. > > > > > > they only tried user [Administrator]. > > > > > > nmap says they have no ports open. I did not try the complicated things :) > > > > > > > > > Nothing suspicious in the exim (mailer) log. > > > No other addresses seen. > > > > > > Kind regards > > > Peter and Karin > > > > > > -- > > > Peter and Karin Dambier > > > Cesidian Root - Radice Cesidiana > > > Rimbacher Strasse 16 > > > D-69509 Moerlenbach-Bonsweiher > > > +49(6209)795-816 (Telekom) > > > +49(6252)750-308 (VoIP: sipgate.de) > > > mail: [EMAIL PROTECTED] > > > mail: [EMAIL PROTECTED] > > > http://iason.site.voila.fr/ > > > https://sourceforge.net/projects/iason/ > > > http://www.cesidianroot.com/ > > > > > I think there is probably some truth in the middle of both of your posts. > > I have an FTP server at work and at home, and I read the logs pretty > regularly. I see automated scans daily, all using dictionary attacks, > with very similar patterns, enough to suggest that although they are > "only" brute force, they could certainly be automated from a bot > source. All use the exact same dictionary, and are from such disparate > IP sources the theory is an interesting one. They could also be from > an obvious single source, a hacker brute force IP scanning utility, > but since I dont use such things Im not certain. > > some examples: > > 193.34.150.54 Administrator abc123 Bad username and/or password > 193.34.150.54 Administrator password Bad username and/or password > 193.34.150.54 Administrator passwd Bad username and/or password > host-193-34-150-54.vlan8.argeweb.nl. (netherlands) > > 60.191.20.228 Administrator abc123 Bad username and/or password > 60.191.20.228 Administrator password Bad username and/or password > 60.191.20.228 Administrator passwd Bad username and/or password > ns.zjnbptt.net.cn Hangzhou, Zhejiang (China) > > 221.2.236.42 Administrator abc123 Bad username and/or password > 221.2.236.42 Administrator password Bad username and/or password > 221.2.236.42 Administrator passwd Bad username and/or password > Also China, but Dongying, Hebei > > 202.82.18.193 Administrator abc123 Bad username and/or password > 202.82.18.193 Administrator password Bad username and/or password > 202.82.18.193 Administrator passwd Bad username and/or password > Hong Kong > > 212.123.8.83 Administrator abc123 Bad username and/or password > 212.123.8.83 Administrator password Bad username and/or password > 212.123.8.83 Administrator passwd Bad username and/or password > Belgium > > I found the origin of the dictionary file they are using simply > because almost all of them start trying passwords with the text from > the dictionary source (laziness?) > > as you see here: > > 140.112.101.41 Administrator been Bad username and/or password > 140.112.101.41 Administrator compiled Bad username and/or > password > 140.112.101.41 Administrator by Bad username and/or password > 140.112.101.41 Administrator Solar Bad username and/or password > 140.112.101.41 Administrator Designer Bad username and/or > password > 140.112.101.41 Administrator of > > Solar Designer wrote "john the ripper" the password cracker, which of > course comes with a dictionary. > > > dvsjr > -- James Pleger p: 623.298.7966 e: [EMAIL PROTECTED] _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets