[COLUG] FTP attacks
Steve Roggenkamp
roggenkamps at acm.org
Fri Jul 7 21:40:22 EDT 2006
It looks like someone(s) is attempting to hack FTP servers from multiple
IP addresses.
The modus operandi is to make a connection to the FTP server then
attempt to log in using a variety of user names and passwords. Normally
they attempt 2283 passwords, then they may close the connection. At
times they may attempt multiple user names using the same connection,
keeping it open for long periods.
I have missed this since the daily log summary only shows a few
connections. I found it when diagnosing a problem for a user.
The attackers are persistant, one IP address has almost two million
attempts. When I do an nslookup on the IP, almost all come back with
NXDOMAIN. Not surprising.
It looks like these have been going on since late April, but it does not
appear that any attempts have been successful. I'm still analyzing the
logs.
Steve
More information about the colug432
mailing list