Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: wu-ftpd attack???

From: "M. den Braber" <maurice () office igr nl>
Date: Tue, 26 Nov 2002 10:04:31 +0100
I just posted this in focus-linux a minute ago, looks the same:


Hi guys,

I'm fairly new to the lists so i hope i'm dropping it
in the right one. ;-)

Anyway,

In my network there is a cobalt raq4 that is hosting several
sites and today i noticed that in the last couple of days the
number of connections shot through the roof. (Compared to usual ;) )

When i take a look at the logs i noticed that someone
is trying to login using an anonymous ftp account, which is,
off course disabled.

[log]
Nov 25 10:37:53 koushaven proftpd[8479]: - FTP session opened.
Nov 25 10:37:54 koushaven proftpd[8480]: - FTP session opened.
Nov 25 10:37:54 koushaven proftpd[8481]: - FTP session opened.
Nov 25 10:37:54 koushaven proftpd[8482]: - FTP session opened.
Nov 25 10:37:54 koushaven proftpd[8484]: - FTP session opened.
Nov 25 10:37:54 koushaven proftpd[8483]: - FTP session opened.
Nov 25 10:37:54 koushaven proftpd[8485]: - FTP session opened.
Nov 25 10:37:54 koushaven proftpd[8486]: - FTP session opened.
Nov 25 10:37:55 koushaven proftpd[8487]: - FTP session opened.
Nov 25 10:37:55 koushaven proftpd[8478]: - no such user 'anonymous'
Nov 25 10:37:55 koushaven proftpd[8478]: - no such user 'anonymous'
Nov 25 10:37:55 koushaven proftpd[8476]: - no such user 'anonymous'
Nov 25 10:37:55 koushaven proftpd[8476]: - no such user 'anonymous'
Nov 25 10:37:55 koushaven proftpd[8477]: - no such user 'anonymous'
Nov 25 10:37:55 koushaven proftpd[8477]: - no such user 'anonymous'
Nov 25 10:37:55 koushaven proftpd[8479]: - no such user 'anonymous'
Nov 25 10:37:55 koushaven proftpd[8479]: - no such user 'anonymous'
Nov 25 10:37:55 koushaven proftpd[8480]: - no such user 'anonymous'
Nov 25 10:37:55 koushaven proftpd[8480]: - no such user 'anonymous'
Nov 25 10:37:55 koushaven proftpd[8481]: - no such user 'anonymous'
Nov 25 10:37:55 koushaven proftpd[8481]: - no such user 'anonymous'
Nov 25 10:37:55 koushaven proftpd[8484]: - no such user 'anonymous'
Nov 25 10:37:55 koushaven proftpd[8484]: - no such user 'anonymous'
Nov 25 10:37:55 koushaven proftpd[8482]: - no such user 'anonymous'
etc, etc, etc.
[/log]

This continues for a while, until:
Nov 25 10:37:59 koushaven inetd[26588]: ftp/tcp server failing (looping),

service terminated


After this, the procedure start all over again only this time the user is
trying it from another IP adres.

As i said, the cobalt is hosting several sites, each with their own IP.
The user is also trying to use different IP's to log in with the anonymous

account.


Any idea's?

M. den Braber
Kabelfoon/IGR



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: