One of our clients experienced something similar a few weeks ago on one IP from India, and another from I believe Korea as well. Until we set tcpwrappers to dump all connections from these addresses, inetd effectively shuts down FTP, causing a DoS on FTP. Even after denying access, however, each made several hundred more attempts per hour for a few days. I did notice that both IPs were assigned to IIS boxes whose home pages were identical anti-Chinese messages, so they were probably both cracked boxen. On Sun, Jun 17, 2001 at 10:48:41PM -0700, Gregory McCann wrote: > Our log files show that someone at two different Korean ip addresses tried to access our ftp server (ProFTPD 1.2.0) over 2,300 times on Saturday. What's the point? Attempted denial of service maybe? There does not seem to be any damage or breakin attempts. > > First, someone at 211.203.38.222 made several connections per minute for nearly four hours. Then ten hours later, someone at 211.247.56.102 did the same thing for about 25 minutes. > > ftp ftpd22972 Sat Jun 16 10:07 - 10:07 (00:00) 211.203.38.222 > ftp ftpd22971 Sat Jun 16 10:07 - 10:07 (00:00) 211.203.38.222 > ftp ftpd22970 Sat Jun 16 10:07 - 10:07 (00:00) 211.203.38.222 > etc... > > ftp ftpd23704 Sat Jun 16 20:08 - 20:08 (00:00) 211.247.56.102 > ftp ftpd23703 Sat Jun 16 20:08 - 20:08 (00:00) 211.247.56.102 > ftp ftpd23702 Sat Jun 16 20:08 - 20:08 (00:00) 211.247.56.102 > etc... > > 211.203.38.222 is registered to Hanaro Telecom, Inc. in Seoul. http://www.hananet.net/main.htm > > I couldn't locate 211.247.56.102 because the Korean whois server is dead at the moment. > > Also, looking back a little farther in the logs, I see 537 attempts from 211.203.39.147 on 6/13. > > Greg > -- Evan Cofsky, President Generux Consulting, DSA Master Key 892E05A0 ecofskyat_private, DSA Key DA253F39 http://www.generux.com
This archive was generated by hypermail 2b30 : Mon Jun 18 2001 - 19:40:36 PDT