Well, I don't think this is a DoS attack... afterall, what's the point?
And can't they find a better tool to launch a DoS?
I think (IMHO) they are trying to access some (possible warze) site. And
either they have the wrong IP address, or maybe you box get hacked and
(was) hosting some warze site.
the reason for this, is because I think they are using some client will
just keep retry to connect a FTP server....
Just my 2 bits.
\|/ _____ \|/ ***************************************************
"@'/ , . \`@" This e-mail is send with 100% recyclable electrons.
/_| \___/ |__\ ***************************************************
\___U_/ Derekat_private
On Sun, 17 Jun 2001, Gregory McCann wrote:
> Our log files show that someone at two different Korean ip addresses
> tried to access our ftp server (ProFTPD 1.2.0) over 2,300 times on
> Saturday. What's the point? Attempted denial of service maybe?
> There does not seem to be any damage or breakin attempts.
>
> First, someone at 211.203.38.222 made several connections per minute
> for nearly four hours. Then ten hours later, someone at
> 211.247.56.102 did the same thing for about 25 minutes.
>
> ftp ftpd22972 Sat Jun 16 10:07 - 10:07 (00:00) 211.203.38.222
> ftp ftpd22971 Sat Jun 16 10:07 - 10:07 (00:00) 211.203.38.222
> ftp ftpd22970 Sat Jun 16 10:07 - 10:07 (00:00) 211.203.38.222
> etc...
>
> ftp ftpd23704 Sat Jun 16 20:08 - 20:08 (00:00) 211.247.56.102
> ftp ftpd23703 Sat Jun 16 20:08 - 20:08 (00:00) 211.247.56.102
> ftp ftpd23702 Sat Jun 16 20:08 - 20:08 (00:00) 211.247.56.102
> etc...
>
> 211.203.38.222 is registered to Hanaro Telecom, Inc. in Seoul.
> http://www.hananet.net/main.htm
>
> I couldn't locate 211.247.56.102 because the Korean whois server is
> dead at the moment.
>
> Also, looking back a little farther in the logs, I see 537 attempts
> from 211.203.39.147 on 6/13.
>
> Greg
>
This archive was generated by hypermail 2b30 : Mon Jun 18 2001 - 20:00:29 PDT