Re: 2300 FTP accesses from Korea

[ecofsky () generux com]

One of our clients experienced something similar a few weeks ago on
one IP from India, and another from I believe Korea as well.
Until we set tcpwrappers to dump all connections from these addresses,
inetd effectively shuts down FTP, causing a DoS on FTP.  Even after
denying access, however, each made several hundred more attempts per
hour for a few days.

I did notice that both IPs were assigned to IIS boxes whose home pages
were identical anti-Chinese messages, so they were probably both
cracked boxen.

On Sun, Jun 17, 2001 at 10:48:41PM -0700, Gregory McCann wrote:
> Our log files show that someone at two different Korean ip addresses tried to access our ftp server (ProFTPD 1.2.0) 
> over 2,300 times on Saturday.  What's the point?  Attempted denial of service maybe?  There does not seem to be any 
> damage or breakin attempts.
>
> First, someone at 211.203.38.222 made several connections per minute for nearly four hours.  Then ten hours later, 
> someone at 211.247.56.102 did the same thing for about 25 minutes.
>
> ftp      ftpd22972    Sat Jun 16 10:07 - 10:07  (00:00)     211.203.38.222
> ftp      ftpd22971    Sat Jun 16 10:07 - 10:07  (00:00)     211.203.38.222
> ftp      ftpd22970    Sat Jun 16 10:07 - 10:07  (00:00)     211.203.38.222
> etc...
>
> ftp      ftpd23704    Sat Jun 16 20:08 - 20:08  (00:00)     211.247.56.102
> ftp      ftpd23703    Sat Jun 16 20:08 - 20:08  (00:00)     211.247.56.102
> ftp      ftpd23702    Sat Jun 16 20:08 - 20:08  (00:00)     211.247.56.102
> etc...
>
> 211.203.38.222 is registered to Hanaro Telecom, Inc. in Seoul.  http://www.hananet.net/main.htm
>
> I couldn't locate 211.247.56.102 because the Korean whois server is dead at the moment.
>
> Also, looking back a little farther in the logs, I see 537 attempts from 211.203.39.147 on 6/13.
>
> Greg

-- 
Evan Cofsky, President
Generux Consulting, DSA Master Key 892E05A0
ecofsky () generux com, DSA Key DA253F39
http://www.generux.com