Re: ProFTPD Scan?

[Janek Shein <janek () lib ttu ee>]

On 12 March, 2001, 19:28:42, Kurth wrote something like:

> I found these in todays logs - notice the times "15:32:13"  thats four hits
> at the same time. and then two at a different time.  Looks like a DoS
> attempt to (although i've been known to have been wrong).

> In today's logs.

> Mar 12 15:30:28 trinity proftpd[19132]: trinity
> (AVelizy-101-1-2-117.abo.wanadoo.fr[193.253.200.117]) - USER ftp (Login
> failed): Can't find user.
> Mar 12 15:32:13 trinity proftpd[19147]: trinity
> (AVelizy-101-1-2-117.abo.wanadoo.fr[193.253.200.117]) - USER ftp (Login
> failed): Can't find user.
> Mar 12 15:32:13 trinity proftpd[19148]: trinity
> (AVelizy-101-1-2-117.abo.wanadoo.fr[193.253.200.117]) - USER ftp (Login
> failed): Can't find user.
> Mar 12 15:30:28 trinity proftpd[19132]: trinity
> (AVelizy-101-1-2-117.abo.wanadoo.fr[193.253.200.117]) - USER ftp (Login
> failed): Can't find user.
> Mar 12 15:32:13 trinity proftpd[19147]: trinity
> (AVelizy-101-1-2-117.abo.wanadoo.fr[193.253.200.117]) - USER ftp (Login
> failed): Can't find user.
> Mar 12 15:32:13 trinity proftpd[19148]: trinity
> (AVelizy-101-1-2-117.abo.wanadoo.fr[193.253.200.117]) - USER ftp (Login
> failed): Can't find user.

> Can anyone provide insight?

> ~kurth
Don't think so. Maybe just this sort of ftp client (or a regular
web-browser for example). Some (like cuteftp) try to reconnect if
connection fails. With no delay set it would produce about the same
results. And considering these 'probes' - you are not the only one
that suffers. Every once in a while i see lines like that in my logs.
(Occasionally attempts to log on as 'root', 'test', etc. follow too,
but that's not the case now) And i am more than sure that there are
others with the same situation. So in case if that was all there was
i see nothing to be alarmed about.




--
rgdz,
Janek@proftpd