[botnets] FTP hacking - new pattern?

Sat, 16 Sep 2006 19:14:44 -0700 

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Hi all,

I just discovered somebody knocking on my door:

xinetd_open("Sep-16","12:44:02","ftp","61.28.36.89").
ftp_connect("Sep-16","12:44:34","61.28.36.89").
ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user 
[Administrator]","Sep-16","12:44:36").
ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication 
failures","Sep-16","12:45:32").
xinetd_close("Sep-16","12:45:32","ftp").

xinetd_open("Sep-16","12:45:34","ftp","61.28.36.89").
ftp_connect("Sep-16","12:46:04","61.28.36.89").
ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user 
[Administrator]","Sep-16","12:46:06").
ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication 
failures","Sep-16","12:47:02").
xinetd_close("Sep-16","12:47:02","ftp").

...

xinetd_open("Sep-16","22:23:39","ftp","61.28.36.89").
ftp_connect("Sep-16","22:24:10","61.28.36.89").
ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user 
[Administrator]","Sep-16","22:24:11").
ftp_logout("Sep-16","22:24:33","([EMAIL PROTECTED])").
xinetd_close("Sep-16","22:24:33","ftp").


I have a very slow system. So most wordbook attacks give up very fast.
This one was more patient. Nevertheless it did not get past the
single user "Administrator"

I have never seen somebody trying for 10 hours.


At the same time I have seen some

2006-09-16 17:42:58 SMTP protocol violation:
  synchronization error (input sent without waiting for greeting):
  rejected connection from
  H=atuileries-152-1-77-10.w86-212.abo.wanadoo.fr [86.212.72.10]

from different ip-addresses but none from "61.28.36.89"

and a single

2006-09-15 22:59:20 H=61-216-246-242.dynamic.hinet.net (84.167.249.193) 
[61.216.246.242]
  F=<[EMAIL PROTECTED]> rejected RCPT <[EMAIL PROTECTED]>:
  Relaying not permitted


(84.167.249.193) used to be my own ip-address (dynamic, changing every 24h)


The SMTP stuff seems to be the normal noise but the FTP is unusual here.


Kind regards
Peter and Karin

-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: [EMAIL PROTECTED]
mail: [EMAIL PROTECTED]
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/

_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Reply via email to