Security Incidents mailing list archives

RE: 2300 FTP accesses from Korea

From: "Obert, Jack E." <JObert () sprg smhs com>
Date: Mon, 18 Jun 2001 14:36:34 -0500

What are the associated UID's...  Could this be a brute force using a
package like BrutusA2?

 
Jack E. Obert, GSEC 
Technical Information Security Officer 
St. John's Health System 


-----Original Message-----
From: Gregory McCann [mailto:cambria () owt com]
Sent: Monday, June 18, 2001 12:49 AM
To: incidents () securityfocus com
Subject: 2300 FTP accesses from Korea


Our log files show that someone at two different Korean ip addresses tried
to access our ftp server (ProFTPD 1.2.0) over 2,300 times on Saturday.
What's the point?  Attempted denial of service maybe?  There does not seem
to be any damage or breakin attempts.

First, someone at 211.203.38.222 made several connections per minute for
nearly four hours.  Then ten hours later, someone at 211.247.56.102 did the
same thing for about 25 minutes.

ftp      ftpd22972    Sat Jun 16 10:07 - 10:07  (00:00)     211.203.38.222
ftp      ftpd22971    Sat Jun 16 10:07 - 10:07  (00:00)     211.203.38.222
ftp      ftpd22970    Sat Jun 16 10:07 - 10:07  (00:00)     211.203.38.222
etc...

ftp      ftpd23704    Sat Jun 16 20:08 - 20:08  (00:00)     211.247.56.102
ftp      ftpd23703    Sat Jun 16 20:08 - 20:08  (00:00)     211.247.56.102
ftp      ftpd23702    Sat Jun 16 20:08 - 20:08  (00:00)     211.247.56.102
etc...

211.203.38.222 is registered to Hanaro Telecom, Inc. in Seoul.
http://www.hananet.net/main.htm

I couldn't locate 211.247.56.102 because the Korean whois server is dead at
the moment.

Also, looking back a little farther in the logs, I see 537 attempts from
211.203.39.147 on 6/13.

Greg

Current thread:

RE: 2300 FTP accesses from Korea Obert, Jack E. (Jun 18)
- <Possible follow-ups>
- RE: 2300 FTP accesses from Korea Gregory McCann (Jun 18)
  - RE: 2300 FTP accesses from Korea Tom Laermans (Jun 19)