To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
I agree that this could be distributed... However what you may be
seeing is the same group of script kiddies that are targeting you
block of hosts.
I have seen that a good majority of the bruteforcers use the same
exact dictionarys(much like the ssh bruteforcers), and use the exact
same toolkits.
I have caught like maybe 30-40 of these types of kits and they are all
basically the same. Same things that I see with sql SA bruteforcing
and SSH bruteforcing... Same kits used, which indicates that only a
few groups are doing it.
Just my 2 cents.
On 10/6/07, Mr. X <[EMAIL PROTECTED]> wrote:
> On 10/6/07, James Pleger <[EMAIL PROTECTED]> wrote:
> > To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> > ----------
> > This looks like standard ftp bruteforcing...
> >
> > Typical targets of this attacks are MS FTP Servers, they will target
> > the administrator account, so they can get that account password, and
> > then upload files and execute them, or otherwise compromise the box.
> >
> > I have seen this activity for many years, and more likely than not
> > isn't a targeted attack.
> >
> > On 10/6/07, Peter Dambier <[EMAIL PROTECTED]> wrote:
> > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> > > ----------
> > > Good morning,
> > >
> > > I have put the logs from my mailer and ftp-server
> > > together with my router and VoIP:
> > >
> > > Oct 5 12:09:34 voipd[406]: query_local_ipaddress: 62.227.220.143
> > >
> > > netdate("Oct-5","23:38:06","time3 +0.234 Fri Oct 5
> > > 23:38:03.000").
> > > xinetd_open("Oct-6","00:31:58","ftp","203.112.196.130").
> > > ftp_connect("Oct-6","00:32:02","203.112.196.130").
> > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > > user [Administrator]","Oct-6","00:32:03").
> > > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
> > > failures","Oct-6","00:33:00").
> > > xinetd_close("Oct-6","00:33:00","ftp").
> > > xinetd_open("Oct-6","00:33:00","ftp","203.112.196.130").
> > > ftp_connect("Oct-6","00:33:01","203.112.196.130").
> > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > > user [Administrator]","Oct-6","00:33:02").
> > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > > user [Administrator]","Oct-6","00:33:06").
> > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > > user [Administrator]","Oct-6","00:33:13").
> > > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
> > > failures","Oct-6","00:33:53").
> > > xinetd_close("Oct-6","00:33:53","ftp").
> > > xinetd_open("Oct-6","00:33:54","ftp","203.112.196.130").
> > > ...
> > > xinetd_close("Oct-6","03:06:22","ftp").
> > > xinetd_open("Oct-6","03:06:23","ftp","203.112.196.130").
> > > ftp_connect("Oct-6","03:06:33","203.112.196.130").
> > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > > user [Administrator]","Oct-6","03:06:34").
> > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > > user [Administrator]","Oct-6","03:07:20").
> > > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
> > > failures","Oct-6","03:07:36").
> > > xinetd_close("Oct-6","03:07:36","ftp").
> > >
> > >
> > > Oct 6 03:08:22 dsld[381]: EVENT(80): Die Internetverbindung wird kurz
> > > unterbrochen, um der Zwangstrennung durch den Anbieter zuvorzukommen.
> > > Oct 6 03:08:23 dsld[381]: Channel 0 closed (physical)
> > > Oct 6 03:08:23 dsld[381]: internet: disconnected
> > > Oct 6 03:08:23 dsld[381]: EVENT(23): Internetverbindung wurde getrennt.
> > > Oct 6 03:08:24 multid[360]: ONLINE: now offline
> > > Oct 6 03:08:24 voipd[406]: connstatus 5 -> 3
> > > Oct 6 03:08:24 dsld[381]: internet: connecting
> > > Oct 6 03:08:24 dsld[381]: internet: 00:04:0e:6d:8a:43
> > > Oct 6 03:08:24 dsld[381]: internet: 00:04:0e:6d:8a:43
> > > Oct 6 03:08:24 dsld[381]: PPP led: off (value=0)
> > > Oct 6 03:08:24 dsld[381]: Channel 0 up (physical outgoing)
> > > Oct 6 03:08:25 voipd[406]: connstatus 3 -> 4
> > > Oct 6 03:08:25 dsld[381]: internet: set_snd_ipaddr: 62.227.245.7
> > > Oct 6 03:08:25 dsld[381]: internet: connected
> > > Oct 6 03:08:25 dsld[381]: PPP led: on (value=1)
> > > Oct 6 03:08:25 dsld[381]: EVENT(22): Internetverbindung wurde
> > > erfolgreich hergestellt. IP-Adresse: 62.227.245.7, DNS-Server:
> > > 217.237.150.51 und 217.237.148.22, Gateway: 217.0.116.228
> > > Oct 6 03:08:26 multid[360]: DDNS: echnaton.serveftp.com: checking ip
> > > address
> > > Oct 6 03:08:26 multid[360]: dns: echnaton.serveftp.com: query
> > > Oct 6 03:08:26 multid[360]: ONLINE: now online 62.227.245.7
> > > Oct 6 03:08:26 voipd[406]: connstatus 4 -> 5
> > >
> > >
> > > netdate("Oct-6","03:38:05","time3 +0.290 Sat Oct 6
> > > 03:38:02.000").
> > > netdate("Oct-6","04:38:04","time3 -0.754 Sat Oct 6
> > > 04:38:01.000").
> > > xinetd_open("Oct-6","04:47:21","ftp","203.112.196.130").
> > > ftp_connect("Oct-6","04:47:22","203.112.196.130").
> > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > > user [Administrator]","Oct-6","04:47:22").
> > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > > user [Administrator]","Oct-6","04:48:10").
> > > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
> > > failures","Oct-6","04:48:28").
> > > xinetd_close("Oct-6","04:48:28","ftp").
> > > xinetd_open("Oct-6","04:48:31","ftp","203.112.196.130").
> > > ...
> > > xinetd_close("Oct-6","04:56:37","ftp").
> > > xinetd_open("Oct-6","04:56:41","ftp","203.112.196.130").
> > > ftp_connect("Oct-6","04:56:45","203.112.196.130").
> > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > > user [Administrator]","Oct-6","04:56:46").
> > > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
> > > failures","Oct-6","04:57:40").
> > > xinetd_close("Oct-6","04:57:40","ftp").
> > > netdate("Oct-6","05:38:05","time3 +0.251 Sat Oct 6
> > > 05:38:02.000").
> > >
> > >
> > > Interestingly enough the attack survived a DSL disconnect
> > > and reconnect with changed IPv4 address.
> > >
> > > The hole of 90 minutes suggests they did not follow me via DNS or SIP.
> > >
> > > they only tried user [Administrator].
> > >
> > > nmap says they have no ports open. I did not try the complicated things :)
> > >
> > >
> > > Nothing suspicious in the exim (mailer) log.
> > > No other addresses seen.
> > >
> > > Kind regards
> > > Peter and Karin
> > >
> > > --
> > > Peter and Karin Dambier
> > > Cesidian Root - Radice Cesidiana
> > > Rimbacher Strasse 16
> > > D-69509 Moerlenbach-Bonsweiher
> > > +49(6209)795-816 (Telekom)
> > > +49(6252)750-308 (VoIP: sipgate.de)
> > > mail: [EMAIL PROTECTED]
> > > mail: [EMAIL PROTECTED]
> > > http://iason.site.voila.fr/
> > > https://sourceforge.net/projects/iason/
> > > http://www.cesidianroot.com/
> > >
>
> I think there is probably some truth in the middle of both of your posts.
>
> I have an FTP server at work and at home, and I read the logs pretty
> regularly. I see automated scans daily, all using dictionary attacks,
> with very similar patterns, enough to suggest that although they are
> "only" brute force, they could certainly be automated from a bot
> source. All use the exact same dictionary, and are from such disparate
> IP sources the theory is an interesting one. They could also be from
> an obvious single source, a hacker brute force IP scanning utility,
> but since I dont use such things Im not certain.
>
> some examples:
>
> 193.34.150.54 Administrator abc123 Bad username and/or password
> 193.34.150.54 Administrator password Bad username and/or password
> 193.34.150.54 Administrator passwd Bad username and/or password
> host-193-34-150-54.vlan8.argeweb.nl. (netherlands)
>
> 60.191.20.228 Administrator abc123 Bad username and/or password
> 60.191.20.228 Administrator password Bad username and/or password
> 60.191.20.228 Administrator passwd Bad username and/or password
> ns.zjnbptt.net.cn Hangzhou, Zhejiang (China)
>
> 221.2.236.42 Administrator abc123 Bad username and/or password
> 221.2.236.42 Administrator password Bad username and/or password
> 221.2.236.42 Administrator passwd Bad username and/or password
> Also China, but Dongying, Hebei
>
> 202.82.18.193 Administrator abc123 Bad username and/or password
> 202.82.18.193 Administrator password Bad username and/or password
> 202.82.18.193 Administrator passwd Bad username and/or password
> Hong Kong
>
> 212.123.8.83 Administrator abc123 Bad username and/or password
> 212.123.8.83 Administrator password Bad username and/or password
> 212.123.8.83 Administrator passwd Bad username and/or password
> Belgium
>
> I found the origin of the dictionary file they are using simply
> because almost all of them start trying passwords with the text from
> the dictionary source (laziness?)
>
> as you see here:
>
> 140.112.101.41 Administrator been Bad username and/or password
> 140.112.101.41 Administrator compiled Bad username and/or
> password
> 140.112.101.41 Administrator by Bad username and/or password
> 140.112.101.41 Administrator Solar Bad username and/or password
> 140.112.101.41 Administrator Designer Bad username and/or
> password
> 140.112.101.41 Administrator of
>
> Solar Designer wrote "john the ripper" the password cracker, which of
> course comes with a dictionary.
>
>
> dvsjr
>
--
James Pleger
p: 623.298.7966
e: [EMAIL PROTECTED]
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
