Help - Search - Members - Calendar
Full Version: Brute Force Attack on FTP
The Planet Forums > Security > General Security > UNIX Security
neonix
May 28 2005, 01:57 AM
This is the proftpd report in my Logwatch :

proftpd-messages Begin

'hostname' (127.0.0.1[127.0.0.1]) - FTP login timed out,
disconnected
'hostname' (127.0.0.1[127.0.0.1]) - FTP no transfer timeout,
disconnected
'hostname' (127.0.0.1[127.0.0.1]) - FTP login timed out,
disconnected
xx.xx.xxx.232 (66.97.95.1[66.97.95.1]) - no such user 'look'
xx.xx.xxx.233 (66.97.95.1[66.97.95.1]) - no such user 'look'
xx.xx.xxx.231 (66.97.95.1[66.97.95.1]) - no such user 'look'
xx.xx.xxx.234 (66.97.95.1[66.97.95.1]) - no such user 'look'
xx.xx.xxx.238 (66.97.95.1[66.97.95.1]) - no such user 'look'
xx.xx.xxx.235 (66.97.95.1[66.97.95.1]) - no such user 'look'
xx.xx.xxx.232 (66.97.95.1[66.97.95.1]) - no such user 'user'
xx.xx.xxx.233 (66.97.95.1[66.97.95.1]) - no such user 'user'
xx.xx.xxx.231 (66.97.95.1[66.97.95.1]) - no such user 'user'
xx.xx.xxx.234 (66.97.95.1[66.97.95.1]) - no such user 'user'
xx.xx.xxx.238 (66.97.95.1[66.97.95.1]) - no such user 'user'
xx.xx.xxx.235 (66.97.95.1[66.97.95.1]) - no such user 'user'
'hostname' (66.97.95.1[66.97.95.1]) - no such user 'leech'
'hostname' (66.97.95.1[66.97.95.1]) - no such user 'leech'
'hostname' (66.97.95.1[66.97.95.1]) - no such user 'leech'
'hostname' (127.0.0.1[127.0.0.1]) - FTP login timed out,
disconnected
'hostname' (66.97.95.1[66.97.95.1]) - no such user 'admin'
'hostname' (66.97.95.1[66.97.95.1]) - no such user 'admin'
'hostname' (66.97.95.1[66.97.95.1]) - no such user 'admin'
'hostname' (127.0.0.1[127.0.0.1]) - FTP login timed out,
disconnected
'hostname' (127.0.0.1[127.0.0.1]) - FTP login timed out,
disconnected


Details of 66.97.95.1
Blacklist Status: Clear
Whois History: 3 records stored
Record Type: IP Address
IP Location: United States - Blue Mountain Internet
Reverse IP: Web server hosts 1 websites (reverse ip tool requires free login)
Reverse DNS: w1.bmi.net

1 domains found on 66.97.95.1
Showing all 1.

Website
www.Oddfellows.com

Looks like he has compromised a server...

The same person also tried to Brute Force into SSH but BFD took care of that. So what is he trying now and how do I stop him...

Thanks.
JustGags
May 28 2005, 10:10 AM
Make sure that you have an access control list for your FTP whereas you only allow certain usernames to login (a.k.a. not root or pretty much any username that can login via SSH).
bsdevious
Aug 28 2005, 11:58 AM
Install BFD with APF, it will send those guys to /dev/null icon_cool.gif
Paul
Aug 28 2005, 12:06 PM
QUOTE (bsdevious)
Install BFD with APF, it will send those guys to /dev/null  8)

null0 icon_wink.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.