Security Incidents mailing list archives
Re: ProFTPD Scan?
From: X <falken () AREA66 COM>
Date: Mon, 12 Mar 2001 20:14:55 +0100
Hello, I found something similar when I was analyzing some logs after a rpc.statd intrusion. My network consists on some machines in a NIS domain and some others isolated from that domain, with local users. The intruder entered in an isolated machine and ran a sniffer. He/she captured several login/passwords from the NIS domain and tested to connect to the cracked isolated machine with no success. He/she thought (perhaps) that this machine was part of the NIS domain. It wasn't. I hope it would help you in some way. Revise your logs and some binaries's timestamps, they usually use some form of rootkit. bye Xavi Torres falken () area66 com Kurth Bemis escribió:
I found these in todays logs - notice the times "15:32:13" thats four hits at the same time. and then two at a different time. Looks like a DoS attempt to (although i've been known to have been wrong). In today's logs. Mar 12 15:30:28 trinity proftpd[19132]: trinity (AVelizy-101-1-2-117.abo.wanadoo.fr[193.253.200.117]) - USER ftp (Login failed): Can't find user. Mar 12 15:32:13 trinity proftpd[19147]: trinity (AVelizy-101-1-2-117.abo.wanadoo.fr[193.253.200.117]) - USER ftp (Login failed): Can't find user. Mar 12 15:32:13 trinity proftpd[19148]: trinity (AVelizy-101-1-2-117.abo.wanadoo.fr[193.253.200.117]) - USER ftp (Login failed): Can't find user. Mar 12 15:30:28 trinity proftpd[19132]: trinity (AVelizy-101-1-2-117.abo.wanadoo.fr[193.253.200.117]) - USER ftp (Login failed): Can't find user. Mar 12 15:32:13 trinity proftpd[19147]: trinity (AVelizy-101-1-2-117.abo.wanadoo.fr[193.253.200.117]) - USER ftp (Login failed): Can't find user. Mar 12 15:32:13 trinity proftpd[19148]: trinity (AVelizy-101-1-2-117.abo.wanadoo.fr[193.253.200.117]) - USER ftp (Login failed): Can't find user. Can anyone provide insight? ~kurth
Current thread:
- ProFTPD Scan? Kurth Bemis (Mar 12)
- Re: ProFTPD Scan? Janek Shein (Mar 12)
- Re: ProFTPD Scan? X (Mar 12)
- Re: ProFTPD Scan? Jose Nazario (Mar 12)
- Re: ProFTPD Scan? Steven J. Hill (Mar 13)
- Re: ProFTPD Scan? Kurth Bemis (Mar 14)
- Re: ProFTPD Scan? Rik van Riel (Mar 20)
- Re: ProFTPD Scan? Mike Stilson (Mar 14)
- <Possible follow-ups>
- Re: ProFTPD Scan? Guillaume.COURTOIS (Mar 15)