Security Incidents mailing list archives
Attempted FTP intrusion
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 31 Jan 2007 09:43:22 -0800
Around 4:45am(PST) this morning, a particular machine belonging to a Korean advertising company ("VAAN") began connecting to our public addresses on TCP port 21 (FTP). (It may have spent some time earlier trying to connect to our DHCP ranges and getting dropped at the border routers.) From about 7:50am(PST), it began to randomly try passwords to log on as "Admin" or "Guest" to the various systems it had found. None of these login attempts had succeeded when I blocked inbound traffic from that address around 8:50am(PST). Although none of the login attempts succeeded, on some machines it also attempted to remove a directory named "sarcaxxo". This links it to incidents reported by other sites as far back as the beginning of November 2006. Nobody yet seems to know what's behind this. David Gillett
Current thread:
- Tracking down random ICMP Craig Chamberlain (Jan 22)
- Re: Tracking down random ICMP Kyle Maxwell (Jan 23)
- Re: Tracking down random ICMP Valdis . Kletnieks (Jan 23)
- Re: Tracking down random ICMP Jose Nazario (Jan 23)
- Re: Tracking down random ICMP Bojan Zdrnja (Jan 24)
- Re: Tracking down random ICMP Javier Fernández-Sanguino (Jan 25)
- Re: Tracking down random ICMP Valdis . Kletnieks (Jan 25)
- Attempted FTP intrusion David Gillett (Jan 31)
- Re: Attempted FTP intrusion Tillmann Werner (Jan 31)
- Re: Tracking down random ICMP Jose Nazario (Jan 23)