Security Incidents mailing list archives
RE: 2300 FTP accesses from Korea
From: "Gregory McCann" <cambria () owt com>
Date: Mon, 18 Jun 2001 14:15:55 -0700
On 6/18/2001 at 3:36 PM Hicks, John wrote:
Did you cross-reference these entries with your failed logons? At first I would suspect a brute-force attack
Thanks to everyone for the excellent suggestions. I dug a little deeper and found that this was indeed a brute force attack. But not for user id and password. They always logged in as the anonymous user. What they were trying to get to was a hidden file on this site. (All directory listings are hidden and the user must know the exact filename to be able to download.) Check this out... Edited for space and clarity (and a little obfuscation). All connections are from 211.203.38.222. "[16/Jun/2001:07:02:42 -0700]","USER anonymous","331" "[16/Jun/2001:07:02:42 -0700]","TYPE I","200" "[16/Jun/2001:07:02:42 -0700]","PASS getright@","230" "[16/Jun/2001:07:02:42 -0700]","SIZE /download/pc/blah4702.exe","550" "[16/Jun/2001:07:02:42 -0700]","SIZE download/pc/blah4702.exe","550" "[16/Jun/2001:07:02:43 -0700]","SIZE /download/pc/blah4703.exe","550" "[16/Jun/2001:07:02:43 -0700]","SIZE download/pc/blah4703.exe","550" "[16/Jun/2001:07:02:50 -0700]","SIZE /download/pc/blah4704.exe","550" "[16/Jun/2001:07:02:50 -0700]","SIZE download/pc/blah4704.exe","550" "[16/Jun/2001:07:02:50 -0700]","SIZE /download/pc/blah4705.exe","550" "[16/Jun/2001:07:02:51 -0700]","SIZE download/pc/blah4705.exe","550" "[16/Jun/2001:07:02:57 -0700]","SIZE /download/pc/blah4706.exe","550" "[16/Jun/2001:07:02:57 -0700]","SIZE /download/pc/blah4707.exe","550" "[16/Jun/2001:07:02:57 -0700]","SIZE download/pc/blah4706.exe","550" "[16/Jun/2001:07:02:58 -0700]","SIZE download/pc/blah4707.exe","550" "[16/Jun/2001:07:03:04 -0700]","SIZE /download/pc/blah4708.exe","550" "[16/Jun/2001:07:03:04 -0700]","SIZE download/pc/blah4708.exe","550" "[16/Jun/2001:07:03:05 -0700]","SIZE /download/pc/blah4709.exe","550" "[16/Jun/2001:07:03:05 -0700]","SIZE download/pc/blah4709.exe","550" "[16/Jun/2001:07:03:12 -0700]","SIZE /download/pc/blah4710.exe","550" "[16/Jun/2001:07:03:12 -0700]","SIZE download/pc/blah4710.exe","550" etc... Greg
Current thread:
- RE: 2300 FTP accesses from Korea Obert, Jack E. (Jun 18)
- <Possible follow-ups>
- RE: 2300 FTP accesses from Korea Gregory McCann (Jun 18)
- RE: 2300 FTP accesses from Korea Tom Laermans (Jun 19)