Security Incidents mailing list archives

RE: 2300 FTP accesses from Korea

From: "Gregory McCann" <cambria () owt com>
Date: Mon, 18 Jun 2001 14:15:55 -0700

On 6/18/2001 at 3:36 PM Hicks, John wrote:

Did you cross-reference these entries with your failed logons?  At first I
would suspect a brute-force attack


Thanks to everyone for the excellent suggestions.  I dug a little deeper and found that this was indeed a brute force 
attack.

But not for user id and password.  They always logged in as the anonymous user.  What they were trying to get to was a 
hidden file on this site.  (All directory listings are hidden and the user must know the exact filename to be able to 
download.)

Check this out...

Edited for space and clarity (and a little obfuscation).  All connections are from 211.203.38.222.

"[16/Jun/2001:07:02:42 -0700]","USER anonymous","331"
"[16/Jun/2001:07:02:42 -0700]","TYPE I","200"
"[16/Jun/2001:07:02:42 -0700]","PASS getright@","230"
"[16/Jun/2001:07:02:42 -0700]","SIZE /download/pc/blah4702.exe","550"
"[16/Jun/2001:07:02:42 -0700]","SIZE download/pc/blah4702.exe","550"
"[16/Jun/2001:07:02:43 -0700]","SIZE /download/pc/blah4703.exe","550"
"[16/Jun/2001:07:02:43 -0700]","SIZE download/pc/blah4703.exe","550"
"[16/Jun/2001:07:02:50 -0700]","SIZE /download/pc/blah4704.exe","550"
"[16/Jun/2001:07:02:50 -0700]","SIZE download/pc/blah4704.exe","550"
"[16/Jun/2001:07:02:50 -0700]","SIZE /download/pc/blah4705.exe","550"
"[16/Jun/2001:07:02:51 -0700]","SIZE download/pc/blah4705.exe","550"
"[16/Jun/2001:07:02:57 -0700]","SIZE /download/pc/blah4706.exe","550"
"[16/Jun/2001:07:02:57 -0700]","SIZE /download/pc/blah4707.exe","550"
"[16/Jun/2001:07:02:57 -0700]","SIZE download/pc/blah4706.exe","550"
"[16/Jun/2001:07:02:58 -0700]","SIZE download/pc/blah4707.exe","550"
"[16/Jun/2001:07:03:04 -0700]","SIZE /download/pc/blah4708.exe","550"
"[16/Jun/2001:07:03:04 -0700]","SIZE download/pc/blah4708.exe","550"
"[16/Jun/2001:07:03:05 -0700]","SIZE /download/pc/blah4709.exe","550"
"[16/Jun/2001:07:03:05 -0700]","SIZE download/pc/blah4709.exe","550"
"[16/Jun/2001:07:03:12 -0700]","SIZE /download/pc/blah4710.exe","550"
"[16/Jun/2001:07:03:12 -0700]","SIZE download/pc/blah4710.exe","550"

etc...

Greg

Current thread:

RE: 2300 FTP accesses from Korea Obert, Jack E. (Jun 18)
- <Possible follow-ups>
- RE: 2300 FTP accesses from Korea Gregory McCann (Jun 18)
  - RE: 2300 FTP accesses from Korea Tom Laermans (Jun 19)