What are the associated UID's... Could this be a brute force using a package like BrutusA2? Jack E. Obert, GSEC Technical Information Security Officer St. John's Health System -----Original Message----- From: Gregory McCann [mailto:cambriaat_private] Sent: Monday, June 18, 2001 12:49 AM To: incidentsat_private Subject: 2300 FTP accesses from Korea Our log files show that someone at two different Korean ip addresses tried to access our ftp server (ProFTPD 1.2.0) over 2,300 times on Saturday. What's the point? Attempted denial of service maybe? There does not seem to be any damage or breakin attempts. First, someone at 211.203.38.222 made several connections per minute for nearly four hours. Then ten hours later, someone at 211.247.56.102 did the same thing for about 25 minutes. ftp ftpd22972 Sat Jun 16 10:07 - 10:07 (00:00) 211.203.38.222 ftp ftpd22971 Sat Jun 16 10:07 - 10:07 (00:00) 211.203.38.222 ftp ftpd22970 Sat Jun 16 10:07 - 10:07 (00:00) 211.203.38.222 etc... ftp ftpd23704 Sat Jun 16 20:08 - 20:08 (00:00) 211.247.56.102 ftp ftpd23703 Sat Jun 16 20:08 - 20:08 (00:00) 211.247.56.102 ftp ftpd23702 Sat Jun 16 20:08 - 20:08 (00:00) 211.247.56.102 etc... 211.203.38.222 is registered to Hanaro Telecom, Inc. in Seoul. http://www.hananet.net/main.htm I couldn't locate 211.247.56.102 because the Korean whois server is dead at the moment. Also, looking back a little farther in the logs, I see 537 attempts from 211.203.39.147 on 6/13. Greg
This archive was generated by hypermail 2b30 : Mon Jun 18 2001 - 19:36:19 PDT