Re: ProFTPD Scan?

[X <falken () AREA66 COM>]

Hello,
I found something similar when I was analyzing some logs after a rpc.statd
intrusion. My network consists on some machines in a NIS domain and some
others isolated from that domain, with local users. The intruder entered in an
isolated machine and ran a sniffer. He/she captured several login/passwords
from the NIS domain and tested to connect to the cracked isolated machine with
no success. He/she thought (perhaps) that this machine was part of the NIS
domain. It wasn't.  I hope it would help you in some way. Revise your logs
and  some binaries's timestamps, they usually use some form of rootkit.

bye

Xavi Torres
falken () area66 com


Kurth Bemis escribió:

> I found these in todays logs - notice the times "15:32:13"  thats four hits
> at the same time. and then two at a different time.  Looks like a DoS
> attempt to (although i've been known to have been wrong).
>
> In today's logs.
>
> Mar 12 15:30:28 trinity proftpd[19132]: trinity
> (AVelizy-101-1-2-117.abo.wanadoo.fr[193.253.200.117]) - USER ftp (Login
> failed): Can't find user.
> Mar 12 15:32:13 trinity proftpd[19147]: trinity
> (AVelizy-101-1-2-117.abo.wanadoo.fr[193.253.200.117]) - USER ftp (Login
> failed): Can't find user.
> Mar 12 15:32:13 trinity proftpd[19148]: trinity
> (AVelizy-101-1-2-117.abo.wanadoo.fr[193.253.200.117]) - USER ftp (Login
> failed): Can't find user.
> Mar 12 15:30:28 trinity proftpd[19132]: trinity
> (AVelizy-101-1-2-117.abo.wanadoo.fr[193.253.200.117]) - USER ftp (Login
> failed): Can't find user.
> Mar 12 15:32:13 trinity proftpd[19147]: trinity
> (AVelizy-101-1-2-117.abo.wanadoo.fr[193.253.200.117]) - USER ftp (Login
> failed): Can't find user.
> Mar 12 15:32:13 trinity proftpd[19148]: trinity
> (AVelizy-101-1-2-117.abo.wanadoo.fr[193.253.200.117]) - USER ftp (Login
> failed): Can't find user.
>
> Can anyone provide insight?
>
> ~kurth