[COLUG] FTP attacks
Jeffrey Tadlock
jeffrey at tadlocks.net
Sat Jul 8 07:37:33 EDT 2006
Steve Roggenkamp wrote:
> It looks like someone(s) is attempting to hack FTP servers from multiple
> IP addresses.
>
> The modus operandi is to make a connection to the FTP server then
> attempt to log in using a variety of user names and passwords. Normally
> they attempt 2283 passwords, then they may close the connection.
I've been seeing similar things on an FTP server I have at work, even
down to the number of passwords tried. In my case the FTP server is a
Windows machine and they only try one username - Administrator. The
brute force attempts have come from multiple IPs and occur sporadically.
> I have missed this since the daily log summary only shows a few
> connections. I found it when diagnosing a problem for a user.
I couldn't miss mine! My log monitoring software started firing off
emails near immediately on each occasion the brute force attack began.
> The attackers are persistant, one IP address has almost two million
> attempts. When I do an nslookup on the IP, almost all come back with
> NXDOMAIN. Not surprising.
I use ARIN and/or APNIC to see at least where the attacks came from. In
most cases it was an IP address from China or Korea.
-Jeffrey
More information about the colug432
mailing list