[Dshield] FTP server strange logins

hooper1 hooper1 at optonline.net
Tue Aug 22 00:33:14 GMT 2006


I think I had about 16,000 every 3 days per ftp server !
I run filezilla server on 20 or so 2003 boxes.

There is a brute force detection script at sourceforge
with one decency, activestate perl.

I run the script every hour using taskmanager, the script bans them all.
When the ban list gets too large the script is smart enough to start
using wildcards.

I must say its neat stuff !, especially since I wrote it !!!

https://www.sourceforge.net/fzbfd


Glenn



----- Original Message ----- 
From: "Joel Esler" <eslerj at gmail.com>
To: "General DShield Discussion List" <list at lists.dshield.org>
Sent: Monday, August 21, 2006 8:55 AM
Subject: Re: [Dshield] FTP server strange logins


Dominik,

Yes, I get thousands of them a day (of course I run a honeypot to grab
them too), but I get thousands of them.  Only thing you can do about
it really is to block them at a firewall or something, but there are
so many attempts, I don't know how you would get around it.

J

On 8/21/06, Dominik Składanowski <dskladanowski at gmail.com> wrote:
> Hello list.
>
> Does anybody notice strange tests of yours FTP servers? It looks like
> someone tries to log into server, but without any login name and
> password.
>
> I have observed this scan second time in last 2 weeks.
>
> Below I attached fragment of my logwatch report.
>
> --------------------- pam_unix Begin ------------------------
>
> vsftpd:
>     Unknown Entries:
>        authentication failure; logname= uid=0 euid=0 tty= ruser=
> rhost=124.128.254.69 : 2283 Time(s)
>        check pass; user unknown: 2283 Time(s)
>
>
>   ---------------------- pam_unix End -------------------------
>
> Regards
>
> Dominik
>
> _________________________________________
>
> SANS Network Security 2006 - Las Vegas NV October 1st-9th.
> Wide selection of 1-6 Day Courses. Top Instructors!
>
> Details: isc.sans.org/clickcount.php?ad=1
> (use Brochurcode "ISC")
>
> "Best IT Security return on Investment" (Mario Chiock, Schlumberger)
> _______________________________________________
>


-- 
--Joel

_________________________________________

SANS Network Security 2006 - Las Vegas NV October 1st-9th.
Wide selection of 1-6 Day Courses. Top Instructors!

Details: isc.sans.org/clickcount.php?ad=1
(use Brochurcode "ISC")

"Best IT Security return on Investment" (Mario Chiock, Schlumberger)
_______________________________________________ 



More information about the list mailing list