On 14/08/09 06:02, Jim Donovan wrote:
I had port 22 open for a few hours yesterday but closed it when I noticed the
following. He was evidently working from a list; most intruders seem content to
try a few password guesses for root/guest/mysql etc. Many of his usernames seem
pretty unlikely. Perhaps I should set up a honeypot account with audible alarm
so I could see what he was upt to. Here are the first couple of lines he
logged, followed by `uniq -c` of the rest.
Jim Donovan
Quite some time ago I needed to FTP some stuff from outside to my
network, I was in a rush so I just turned on a FTP server (It was in
IIS, like i said, quite some time ago) with anon write access available
then promptly forgot to turn it off again 20 minutes later when I was
done with it. Anyway 2 weeks later I notice the internet is slow and
theres lots of bandwith in use.
Eventually I track down the FTP server is at fault, Turns out somebody
had "brute forced" my "anonymous" FTP server with 100,000 login attempts
before they tried anonymous.
One of them had uploaded Shaun of the dead for his buddies to download
(why I don't know, it was an optus cable connection, and at the time
upload speeds were something like 18kbps)
I thought, Oh well at least I got something out of it, I wanted to see
that and hadn't gotten around to it.
But NO!
The bastards had uploaded it dubbed in FRENCH!
googling my IP address at the time turned up chat logs of them talking
about where my server was and how to get to it.
Bastards.
This is why I hate the French.
;->
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
