To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
This is not that uncommon. I work at a lage hosting company and see
this type of thing on customer boxes all of the time.
If it becomes persistent, use your port filtering method of choice to
lock FTP down to a few admin IPs or Admin Range, or set FTP to listen on
a non-standard port.
This is typically scripted and random, and a non-standard port will end
this nonsense unless you are being targeted.
-Mike
Peter Dambier wrote:
>To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
>----------
>Hi all,
>
>I just discovered somebody knocking on my door:
>
>xinetd_open("Sep-16","12:44:02","ftp","61.28.36.89").
>ftp_connect("Sep-16","12:44:34","61.28.36.89").
>ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
>[Administrator]","Sep-16","12:44:36").
>ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
>failures","Sep-16","12:45:32").
>xinetd_close("Sep-16","12:45:32","ftp").
>
>xinetd_open("Sep-16","12:45:34","ftp","61.28.36.89").
>ftp_connect("Sep-16","12:46:04","61.28.36.89").
>ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
>[Administrator]","Sep-16","12:46:06").
>ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
>failures","Sep-16","12:47:02").
>xinetd_close("Sep-16","12:47:02","ftp").
>
>....
>
>xinetd_open("Sep-16","22:23:39","ftp","61.28.36.89").
>ftp_connect("Sep-16","22:24:10","61.28.36.89").
>ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
>[Administrator]","Sep-16","22:24:11").
>ftp_logout("Sep-16","22:24:33","([EMAIL PROTECTED])").
>xinetd_close("Sep-16","22:24:33","ftp").
>
>
>I have a very slow system. So most wordbook attacks give up very fast.
>This one was more patient. Nevertheless it did not get past the
>single user "Administrator"
>
>I have never seen somebody trying for 10 hours.
>
>
>At the same time I have seen some
>
>2006-09-16 17:42:58 SMTP protocol violation:
> synchronization error (input sent without waiting for greeting):
> rejected connection from
> H=atuileries-152-1-77-10.w86-212.abo.wanadoo.fr [86.212.72.10]
>
>from different ip-addresses but none from "61.28.36.89"
>
>and a single
>
>2006-09-15 22:59:20 H=61-216-246-242.dynamic.hinet.net (84.167.249.193)
>[61.216.246.242]
> F=<[EMAIL PROTECTED]> rejected RCPT <[EMAIL PROTECTED]>:
> Relaying not permitted
>
>
>(84.167.249.193) used to be my own ip-address (dynamic, changing every 24h)
>
>
>The SMTP stuff seems to be the normal noise but the FTP is unusual here.
>
>
>Kind regards
>Peter and Karin
>
>
>
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
