RE: 2300 FTP accesses from Korea

From: Gregory McCann (cambriaat_private)
Date: Mon Jun 18 2001 - 14:15:55 PDT

Next message: Russell Fulton: "Re: 2300 FTP accesses from Korea"

Previous message: Phil Dyer: "Re: Port probes: 1680 UDP, 9393 TCP, and 4000 TCP"
Next in thread: Tom Laermans: "RE: 2300 FTP accesses from Korea"
Next in thread: Russell Fulton: "Re: 2300 FTP accesses from Korea"
Next in thread: Soeren Ziehe: "Re: Huge outgoing ICMP flows"
Reply: Tom Laermans: "RE: 2300 FTP accesses from Korea"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/18/2001 at 3:36 PM Hicks, John wrote:

>Did you cross-reference these entries with your failed logons?  At first I
>would suspect a brute-force attack

Thanks to everyone for the excellent suggestions.  I dug a little deeper and found that this was indeed a brute force attack.  

But not for user id and password.  They always logged in as the anonymous user.  What they were trying to get to was a hidden file on this site.  (All directory listings are hidden and the user must know the exact filename to be able to download.)

Check this out...

Edited for space and clarity (and a little obfuscation).  All connections are from 211.203.38.222.

"[16/Jun/2001:07:02:42 -0700]","USER anonymous","331"
"[16/Jun/2001:07:02:42 -0700]","TYPE I","200"
"[16/Jun/2001:07:02:42 -0700]","PASS getright@","230"
"[16/Jun/2001:07:02:42 -0700]","SIZE /download/pc/blah4702.exe","550"
"[16/Jun/2001:07:02:42 -0700]","SIZE download/pc/blah4702.exe","550"
"[16/Jun/2001:07:02:43 -0700]","SIZE /download/pc/blah4703.exe","550"
"[16/Jun/2001:07:02:43 -0700]","SIZE download/pc/blah4703.exe","550"
"[16/Jun/2001:07:02:50 -0700]","SIZE /download/pc/blah4704.exe","550"
"[16/Jun/2001:07:02:50 -0700]","SIZE download/pc/blah4704.exe","550"
"[16/Jun/2001:07:02:50 -0700]","SIZE /download/pc/blah4705.exe","550"
"[16/Jun/2001:07:02:51 -0700]","SIZE download/pc/blah4705.exe","550"
"[16/Jun/2001:07:02:57 -0700]","SIZE /download/pc/blah4706.exe","550"
"[16/Jun/2001:07:02:57 -0700]","SIZE /download/pc/blah4707.exe","550"
"[16/Jun/2001:07:02:57 -0700]","SIZE download/pc/blah4706.exe","550"
"[16/Jun/2001:07:02:58 -0700]","SIZE download/pc/blah4707.exe","550"
"[16/Jun/2001:07:03:04 -0700]","SIZE /download/pc/blah4708.exe","550"
"[16/Jun/2001:07:03:04 -0700]","SIZE download/pc/blah4708.exe","550"
"[16/Jun/2001:07:03:05 -0700]","SIZE /download/pc/blah4709.exe","550"
"[16/Jun/2001:07:03:05 -0700]","SIZE download/pc/blah4709.exe","550"
"[16/Jun/2001:07:03:12 -0700]","SIZE /download/pc/blah4710.exe","550"
"[16/Jun/2001:07:03:12 -0700]","SIZE download/pc/blah4710.exe","550"

etc...

Greg

Next message: Russell Fulton: "Re: 2300 FTP accesses from Korea"
Previous message: Phil Dyer: "Re: Port probes: 1680 UDP, 9393 TCP, and 4000 TCP"
Next in thread: Tom Laermans: "RE: 2300 FTP accesses from Korea"
Next in thread: Russell Fulton: "Re: 2300 FTP accesses from Korea"
Next in thread: Soeren Ziehe: "Re: Huge outgoing ICMP flows"
Reply: Tom Laermans: "RE: 2300 FTP accesses from Korea"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 18 2001 - 20:09:56 PDT