Hi, At 23:15 18/06/2001, you wrote: >Thanks to everyone for the excellent suggestions. I dug a little deeper >and found that this was indeed a brute force attack. >But not for user id and password. They always logged in as the anonymous >user. What they were trying to get to was a hidden file on this >site. (All directory listings are hidden and the user must know the exact >filename to be able to download.) So they just kept on guessing the different filenames or what? >Check this out... > >Edited for space and clarity (and a little obfuscation). All connections >are from 211.203.38.222. > >"[16/Jun/2001:07:02:42 -0700]","USER anonymous","331" >"[16/Jun/2001:07:02:42 -0700]","TYPE I","200" >"[16/Jun/2001:07:02:42 -0700]","PASS getright@","230" This shows that it was getright download manager (www.getright.com) .. With a very large download list :-) >"[16/Jun/2001:07:02:42 -0700]","SIZE /download/pc/blah4702.exe","550" >"[16/Jun/2001:07:02:42 -0700]","SIZE download/pc/blah4702.exe","550" >"[16/Jun/2001:07:02:43 -0700]","SIZE /download/pc/blah4703.exe","550" [snip] >"[16/Jun/2001:07:03:05 -0700]","SIZE /download/pc/blah4709.exe","550" >"[16/Jun/2001:07:03:05 -0700]","SIZE download/pc/blah4709.exe","550" >"[16/Jun/2001:07:03:12 -0700]","SIZE /download/pc/blah4710.exe","550" >"[16/Jun/2001:07:03:12 -0700]","SIZE download/pc/blah4710.exe","550" It was probably set on auto-retry forever, and the program just kept on trying. When it can't open a file like "/download/pc/blah4709.exe" it tries without leading backslash, which leads to 2 requests for one file. They just kept on going for every combination or something? -Tom ------------------------------------------------- Web: http://www.powersource.cx --- ICQ#: 12120754 Also check this out: http://kickme.to/sidewinder Need some cheats?? http://www.chaos-cheatbase.com Keep Fido&BBS Alive! http://skynetbbs.dyns.cx -------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 16:24:40 PDT