Security Incidents mailing list archives
Attempted FTP intrusion
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 31 Jan 2007 09:43:22 -0800
Around 4:45am(PST) this morning, a particular machine belonging to
a Korean advertising company ("VAAN") began connecting to our
public addresses on TCP port 21 (FTP). (It may have spent some time
earlier trying to connect to our DHCP ranges and getting dropped at
the border routers.)
From about 7:50am(PST), it began to randomly try passwords to log
on as "Admin" or "Guest" to the various systems it had found. None
of these login attempts had succeeded when I blocked inbound traffic
from that address around 8:50am(PST).
Although none of the login attempts succeeded, on some machines it
also attempted to remove a directory named "sarcaxxo". This links it
to incidents reported by other sites as far back as the beginning of
November 2006. Nobody yet seems to know what's behind this.
David Gillett
Current thread:
- Tracking down random ICMP Craig Chamberlain (Jan 22)
- Re: Tracking down random ICMP Kyle Maxwell (Jan 23)
- Re: Tracking down random ICMP Valdis . Kletnieks (Jan 23)
- Re: Tracking down random ICMP Jose Nazario (Jan 23)
- Re: Tracking down random ICMP Bojan Zdrnja (Jan 24)
- Re: Tracking down random ICMP Javier Fernández-Sanguino (Jan 25)
- Re: Tracking down random ICMP Valdis . Kletnieks (Jan 25)
- Attempted FTP intrusion David Gillett (Jan 31)
- Re: Attempted FTP intrusion Tillmann Werner (Jan 31)
- Re: Tracking down random ICMP Jose Nazario (Jan 23)