Security Incidents mailing list archives
RE: wu-ftpd attack???
From: "M. den Braber" <maurice () office igr nl>
Date: Tue, 26 Nov 2002 10:04:31 +0100
I just posted this in focus-linux a minute ago, looks the same:
Hi guys, I'm fairly new to the lists so i hope i'm dropping it in the right one. ;-) Anyway, In my network there is a cobalt raq4 that is hosting several sites and today i noticed that in the last couple of days the number of connections shot through the roof. (Compared to usual ;) ) When i take a look at the logs i noticed that someone is trying to login using an anonymous ftp account, which is, off course disabled. [log] Nov 25 10:37:53 koushaven proftpd[8479]: - FTP session opened. Nov 25 10:37:54 koushaven proftpd[8480]: - FTP session opened. Nov 25 10:37:54 koushaven proftpd[8481]: - FTP session opened. Nov 25 10:37:54 koushaven proftpd[8482]: - FTP session opened. Nov 25 10:37:54 koushaven proftpd[8484]: - FTP session opened. Nov 25 10:37:54 koushaven proftpd[8483]: - FTP session opened. Nov 25 10:37:54 koushaven proftpd[8485]: - FTP session opened. Nov 25 10:37:54 koushaven proftpd[8486]: - FTP session opened. Nov 25 10:37:55 koushaven proftpd[8487]: - FTP session opened. Nov 25 10:37:55 koushaven proftpd[8478]: - no such user 'anonymous' Nov 25 10:37:55 koushaven proftpd[8478]: - no such user 'anonymous' Nov 25 10:37:55 koushaven proftpd[8476]: - no such user 'anonymous' Nov 25 10:37:55 koushaven proftpd[8476]: - no such user 'anonymous' Nov 25 10:37:55 koushaven proftpd[8477]: - no such user 'anonymous' Nov 25 10:37:55 koushaven proftpd[8477]: - no such user 'anonymous' Nov 25 10:37:55 koushaven proftpd[8479]: - no such user 'anonymous' Nov 25 10:37:55 koushaven proftpd[8479]: - no such user 'anonymous' Nov 25 10:37:55 koushaven proftpd[8480]: - no such user 'anonymous' Nov 25 10:37:55 koushaven proftpd[8480]: - no such user 'anonymous' Nov 25 10:37:55 koushaven proftpd[8481]: - no such user 'anonymous' Nov 25 10:37:55 koushaven proftpd[8481]: - no such user 'anonymous' Nov 25 10:37:55 koushaven proftpd[8484]: - no such user 'anonymous' Nov 25 10:37:55 koushaven proftpd[8484]: - no such user 'anonymous' Nov 25 10:37:55 koushaven proftpd[8482]: - no such user 'anonymous' etc, etc, etc. [/log] This continues for a while, until: Nov 25 10:37:59 koushaven inetd[26588]: ftp/tcp server failing (looping),
service terminated
After this, the procedure start all over again only this time the user is trying it from another IP adres. As i said, the cobalt is hosting several sites, each with their own IP. The user is also trying to use different IP's to log in with the anonymous
account.
Any idea's? M. den Braber Kabelfoon/IGR
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: wu-ftpd attack??? M. den Braber (Nov 27)
- RE: wu-ftpd attack??? Bojan Zdrnja (Nov 27)