To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
This looks like standard ftp bruteforcing...
Typical targets of this attacks are MS FTP Servers, they will target
the administrator account, so they can get that account password, and
then upload files and execute them, or otherwise compromise the box.
I have seen this activity for many years, and more likely than not
isn't a targeted attack.
On 10/6/07, Peter Dambier <[EMAIL PROTECTED]> wrote:
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> ----------
> Good morning,
>
> I have put the logs from my mailer and ftp-server
> together with my router and VoIP:
>
> Oct 5 12:09:34 voipd[406]: query_local_ipaddress: 62.227.220.143
>
> netdate("Oct-5","23:38:06","time3 +0.234 Fri Oct 5
> 23:38:03.000").
> xinetd_open("Oct-6","00:31:58","ftp","203.112.196.130").
> ftp_connect("Oct-6","00:32:02","203.112.196.130").
> ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
> [Administrator]","Oct-6","00:32:03").
> ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
> failures","Oct-6","00:33:00").
> xinetd_close("Oct-6","00:33:00","ftp").
> xinetd_open("Oct-6","00:33:00","ftp","203.112.196.130").
> ftp_connect("Oct-6","00:33:01","203.112.196.130").
> ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
> [Administrator]","Oct-6","00:33:02").
> ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
> [Administrator]","Oct-6","00:33:06").
> ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
> [Administrator]","Oct-6","00:33:13").
> ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
> failures","Oct-6","00:33:53").
> xinetd_close("Oct-6","00:33:53","ftp").
> xinetd_open("Oct-6","00:33:54","ftp","203.112.196.130").
> ...
> xinetd_close("Oct-6","03:06:22","ftp").
> xinetd_open("Oct-6","03:06:23","ftp","203.112.196.130").
> ftp_connect("Oct-6","03:06:33","203.112.196.130").
> ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
> [Administrator]","Oct-6","03:06:34").
> ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
> [Administrator]","Oct-6","03:07:20").
> ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
> failures","Oct-6","03:07:36").
> xinetd_close("Oct-6","03:07:36","ftp").
>
>
> Oct 6 03:08:22 dsld[381]: EVENT(80): Die Internetverbindung wird kurz
> unterbrochen, um der Zwangstrennung durch den Anbieter zuvorzukommen.
> Oct 6 03:08:23 dsld[381]: Channel 0 closed (physical)
> Oct 6 03:08:23 dsld[381]: internet: disconnected
> Oct 6 03:08:23 dsld[381]: EVENT(23): Internetverbindung wurde getrennt.
> Oct 6 03:08:24 multid[360]: ONLINE: now offline
> Oct 6 03:08:24 voipd[406]: connstatus 5 -> 3
> Oct 6 03:08:24 dsld[381]: internet: connecting
> Oct 6 03:08:24 dsld[381]: internet: 00:04:0e:6d:8a:43
> Oct 6 03:08:24 dsld[381]: internet: 00:04:0e:6d:8a:43
> Oct 6 03:08:24 dsld[381]: PPP led: off (value=0)
> Oct 6 03:08:24 dsld[381]: Channel 0 up (physical outgoing)
> Oct 6 03:08:25 voipd[406]: connstatus 3 -> 4
> Oct 6 03:08:25 dsld[381]: internet: set_snd_ipaddr: 62.227.245.7
> Oct 6 03:08:25 dsld[381]: internet: connected
> Oct 6 03:08:25 dsld[381]: PPP led: on (value=1)
> Oct 6 03:08:25 dsld[381]: EVENT(22): Internetverbindung wurde erfolgreich
> hergestellt. IP-Adresse: 62.227.245.7, DNS-Server: 217.237.150.51 und
> 217.237.148.22, Gateway: 217.0.116.228
> Oct 6 03:08:26 multid[360]: DDNS: echnaton.serveftp.com: checking ip address
> Oct 6 03:08:26 multid[360]: dns: echnaton.serveftp.com: query
> Oct 6 03:08:26 multid[360]: ONLINE: now online 62.227.245.7
> Oct 6 03:08:26 voipd[406]: connstatus 4 -> 5
>
>
> netdate("Oct-6","03:38:05","time3 +0.290 Sat Oct 6
> 03:38:02.000").
> netdate("Oct-6","04:38:04","time3 -0.754 Sat Oct 6
> 04:38:01.000").
> xinetd_open("Oct-6","04:47:21","ftp","203.112.196.130").
> ftp_connect("Oct-6","04:47:22","203.112.196.130").
> ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
> [Administrator]","Oct-6","04:47:22").
> ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
> [Administrator]","Oct-6","04:48:10").
> ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
> failures","Oct-6","04:48:28").
> xinetd_close("Oct-6","04:48:28","ftp").
> xinetd_open("Oct-6","04:48:31","ftp","203.112.196.130").
> ...
> xinetd_close("Oct-6","04:56:37","ftp").
> xinetd_open("Oct-6","04:56:41","ftp","203.112.196.130").
> ftp_connect("Oct-6","04:56:45","203.112.196.130").
> ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
> [Administrator]","Oct-6","04:56:46").
> ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
> failures","Oct-6","04:57:40").
> xinetd_close("Oct-6","04:57:40","ftp").
> netdate("Oct-6","05:38:05","time3 +0.251 Sat Oct 6
> 05:38:02.000").
>
>
> Interestingly enough the attack survived a DSL disconnect
> and reconnect with changed IPv4 address.
>
> The hole of 90 minutes suggests they did not follow me via DNS or SIP.
>
> they only tried user [Administrator].
>
> nmap says they have no ports open. I did not try the complicated things :)
>
>
> Nothing suspicious in the exim (mailer) log.
> No other addresses seen.
>
> Kind regards
> Peter and Karin
>
> --
> Peter and Karin Dambier
> Cesidian Root - Radice Cesidiana
> Rimbacher Strasse 16
> D-69509 Moerlenbach-Bonsweiher
> +49(6209)795-816 (Telekom)
> +49(6252)750-308 (VoIP: sipgate.de)
> mail: [EMAIL PROTECTED]
> mail: [EMAIL PROTECTED]
> http://iason.site.voila.fr/
> https://sourceforge.net/projects/iason/
> http://www.cesidianroot.com/
>
> _______________________________________________
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> All list and server information are public and available to law enforcement
> upon request.
> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
>
--
James Pleger
p: 623.298.7966
e: [EMAIL PROTECTED]
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
