RE: wu-ftpd attack???

From: M. den Braber (mauriceat_private)
Date: Tue Nov 26 2002 - 01:04:31 PST

Next message: Valdis.Kletnieksat_private: "Re: Proxy server hit... Any ideas?"

Previous message: Rodrigo Barbosa: "Re: wu-ftpd attack ???"
Next in thread: Bojan Zdrnja: "RE: wu-ftpd attack???"
Reply: Bojan Zdrnja: "RE: wu-ftpd attack???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I just posted this in focus-linux a minute ago, looks the same:

>Hi guys,
>
>I'm fairly new to the lists so i hope i'm dropping it
>in the right one. ;-)
>
>Anyway,
>
>In my network there is a cobalt raq4 that is hosting several
>sites and today i noticed that in the last couple of days the
>number of connections shot through the roof. (Compared to usual ;) )
>
>When i take a look at the logs i noticed that someone
>is trying to login using an anonymous ftp account, which is,
>off course disabled.
>
>[log]
>Nov 25 10:37:53 koushaven proftpd[8479]: - FTP session opened.
>Nov 25 10:37:54 koushaven proftpd[8480]: - FTP session opened.
>Nov 25 10:37:54 koushaven proftpd[8481]: - FTP session opened.
>Nov 25 10:37:54 koushaven proftpd[8482]: - FTP session opened.
>Nov 25 10:37:54 koushaven proftpd[8484]: - FTP session opened.
>Nov 25 10:37:54 koushaven proftpd[8483]: - FTP session opened.
>Nov 25 10:37:54 koushaven proftpd[8485]: - FTP session opened.
>Nov 25 10:37:54 koushaven proftpd[8486]: - FTP session opened.
>Nov 25 10:37:55 koushaven proftpd[8487]: - FTP session opened.
>Nov 25 10:37:55 koushaven proftpd[8478]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8478]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8476]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8476]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8477]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8477]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8479]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8479]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8480]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8480]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8481]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8481]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8484]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8484]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8482]: - no such user 'anonymous'
>etc, etc, etc.
>[/log]
>
>This continues for a while, until:
>Nov 25 10:37:59 koushaven inetd[26588]: ftp/tcp server failing (looping),
service terminated
>
>After this, the procedure start all over again only this time the user is
>trying it from another IP adres.
>
>As i said, the cobalt is hosting several sites, each with their own IP.
>The user is also trying to use different IP's to log in with the anonymous
account.
>
>Any idea's?
>
>M. den Braber
>Kabelfoon/IGR


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Valdis.Kletnieksat_private: "Re: Proxy server hit... Any ideas?"
Previous message: Rodrigo Barbosa: "Re: wu-ftpd attack ???"
Next in thread: Bojan Zdrnja: "RE: wu-ftpd attack???"
Reply: Bojan Zdrnja: "RE: wu-ftpd attack???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Nov 26 2002 - 13:39:29 PST