[Dshield] FTP server strange logins

Dominik Składanowski dskladanowski at gmail.com
Mon Aug 21 20:35:06 GMT 2006


Thanks for answer Daniel.

>> Does anybody notice strange tests of yours FTP
>> servers? It looks like
>> someone tries to log into server, but without any
>> login name and
>> password.
>>
>> I have observed this scan second time in last 2
>> weeks.
>>
>> Below I attached fragment of my logwatch report.
>>
>> [ ... cut ... ]
>>
> I generally get a lot of those scans (in addition to
> the ssh ones), but your logs seems to be missing the
> user field at the end (the ruser is only used for
> su/sudo or when you change the users).. Does logwatch
> change them in any way?
>
> This is how I generally get them (see user at the
> end):
>
> vsftpd: (pam_unix) authentication failure; logname=
> uid=0 euid=0 tty= ruser= rhost=x.y.z.a  user=joan
>
> vsftpd: (pam_unix) authentication failure; logname=
> uid=0 euid=0 tty= ruser= rhost=x.y.z.a  user=marcia
>
> If you look at the vsftpd.log you will be able to
> see the attempt user names..

Logs looks like that:

Aug 20 06:14:46 reaktor vsftpd(pam_unix)[19414]: authentication  
failure; logname= uid=0 euid=0 tty= ruser= rhost=124.128.254.69

There is no any username.

Regards

Dominik



More information about the list mailing list