Web Hosting Talk






PDA

View Full Version : Is this some kind of DOS attack?

Alan - Vox
08-16-2002, 10:22 AM
some of my servers have been crashing a lot lately.

I found this in the logs before one server crashed today, could this be some kind of dos attack?


Aug 16 05:32:41 www named[21993]: client 68.115.186.114#29873: update 'rhinon.com/IN' denied
Aug 16 05:32:51 www proftpd[24239]: 63.85.123.4 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24239]: 63.85.123.4 (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:51 www proftpd[24284]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24284]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:51 www proftpd[24289]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24289]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:51 www proftpd[24273]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24273]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:51 www proftpd[24244]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24244]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:51 www proftpd[24238]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24238]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:51 www proftpd[24248]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24255]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24260]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24245]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24257]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24266]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24250]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24270]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24254]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24268]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24256]: 63.85.123.138 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24278]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24282]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24287]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24276]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24280]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24285]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24241]: 63.85.123.7 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:51 www proftpd[24240]: 63.85.123.6 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:52 www proftpd[24249]: 63.85.123.133 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:52 www proftpd[24264]: 63.85.123.155 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:52 www proftpd[24243]: 63.85.123.14 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:52 www proftpd[24251]: 63.85.123.135 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:52 www proftpd[24269]: 63.85.123.159 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:52 www proftpd[24259]: 63.85.123.142 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:52 www proftpd[24246]: 63.85.123.131 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:52 www proftpd[24248]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:52 www proftpd[24242]: 63.85.123.11 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:52 www proftpd[24267]: 63.85.123.157 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:52 www proftpd[24258]: 63.85.123.140 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:52 www proftpd[24255]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:52 www proftpd[24260]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:52 www proftpd[24245]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:52 www proftpd[24257]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:52 www proftpd[24266]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:52 www proftpd[24250]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:52 www proftpd[24270]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:52 www proftpd[24299]: 63.85.123.153 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:52 www proftpd[24254]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:52 www proftpd[24268]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:52 www proftpd[24256]: 63.85.123.138 (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:52 www proftpd[24278]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:52 www proftpd[24282]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:53 www proftpd[24287]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:53 www proftpd[24276]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:53 www proftpd[24280]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:53 www proftpd[24285]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:53 www proftpd[24241]: 63.85.123.7 (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:53 www proftpd[24302]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:53 www proftpd[24308]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:53 www proftpd[24240]: 63.85.123.6 (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:53 www proftpd[24303]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Alan - Vox
08-16-2002, 10:24 AM
Aug 16 05:32:53 www proftpd[24309]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:53 www proftpd[24307]: 63.85.123.12 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:53 www proftpd[24249]: 63.85.123.133 (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:53 www proftpd[24316]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:53 www proftpd[24318]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:53 www proftpd[24304]: 63.85.123.9 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24305]: 63.85.123.8 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24310]: 63.85.123.18 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24252]: 63.85.123.136 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24315]: 63.85.123.16 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24311]: 63.85.123.19 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24263]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24320]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24327]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24261]: 63.85.123.144 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24312]: 63.85.123.20 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24313]: 63.85.123.22 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24306]: 63.85.123.10 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24323]: 63.85.123.167 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24317]: 63.85.123.28 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24324]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24271]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24319]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24264]: 63.85.123.155 (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:54 www proftpd[24328]: 63.85.123.171 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24321]: 63.85.123.165 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24331]: 63.85.123.24 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24325]: 63.85.123.169 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24333]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24332]: 63.85.123.30 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24335]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24330]: 63.85.123.26 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24343]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24337]: 63.85.123.34 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24340]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24338]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24342]: 63.85.123.38 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24334]: 63.85.123.32 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:54 www proftpd[24339]: 63.85.123.36 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:55 www proftpd[24291]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:55 www proftpd[24294]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:55 www proftpd[24275]: 63.85.123.177 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:55 www proftpd[24295]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:55 www proftpd[24292]: 63.85.123.163 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:55 www proftpd[24288]: 63.85.123.151 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:55 www proftpd[24293]: 63.85.123.185 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:55 www proftpd[24277]: 63.85.123.179 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:55 www proftpd[24272]: 63.85.123.175 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:55 www proftpd[24290]: 63.85.123.161 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:55 www proftpd[24286]: 63.85.123.149 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:55 www proftpd[24283]: 63.85.123.146 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:55 www proftpd[24347]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:55 www proftpd[24279]: 63.85.123.181 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:55 www proftpd[24346]: 63.85.123.173 (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:55 www proftpd[24345]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session opened.
Aug 16 05:32:57 www proftpd[24243]: 63.85.123.14 (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:57 www proftpd[24251]: 63.85.123.135 (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:58 www proftpd[24269]: 63.85.123.159 (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:58 www proftpd[24259]: 63.85.123.142 (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:58 www proftpd[24246]: 63.85.123.131 (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:58 www proftpd[24242]: 63.85.123.11 (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:58 www proftpd[24267]: 63.85.123.157 (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:58 www proftpd[24258]: 63.85.123.140 (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:59 www proftpd[24299]: 63.85.123.153 (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:59 www proftpd[24302]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:59 www proftpd[24308]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:59 www proftpd[24303]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:59 www proftpd[24309]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:59 www proftpd[24307]: 63.85.123.12 (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:59 www proftpd[24316]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:59 www proftpd[24318]: www.server4indallas.com (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:59 www proftpd[24304]: 63.85.123.9 (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:59 www proftpd[24305]: 63.85.123.8 (194.152.190.150[194.152.190.150]) - FTP session closed.
Aug 16 05:32:59 www proftpd[24310]: 63.85.123.18 (194.152.190.150[194.152.190.150]) - FTP session closed.
dreamrae.com
08-16-2002, 11:11 AM
Um, well not too sure. If 194.152.190.150 is the person that is accessing the ftp server then maybe its a just some kid. But im thinking its your servers gateway or something. Maybe someone has a script tryng to connect to all your sites on the server. im pretty sure this is normal traffic though. unless 194.152.190.150 is one person, then id worry.
Alan - Vox
08-16-2002, 11:13 AM
194.152.190.150 traces to austiria.
H2
08-16-2002, 11:35 AM
This software is scanning open ports, MySQL and FTP etc. Usually the soft generate a lot of connections to your FTP/email server, so the server may crash due to high load.
Alan - Vox
08-16-2002, 11:37 AM
I think its probably a deliberate attempt to crash my servers.
rfxn
08-16-2002, 11:49 AM
This could be one of 2 things:
a) Brute force attack via FTP , in attempts to crack passwords of legit accounts
b) DoS attack geared towards consuming resources

You should ban the IP via iptables or the likes:
eg:
iptables -A INPUT -s 194.152.190.150 -d 0/0 -j DROP
clockwork
08-16-2002, 11:57 AM
If your server crashes due to FTP connections (unless it's hundreds per second), then, frankly, your server specs or OS is under par.

I ran a server that was hosting some software, and a new release was made and I was POUNDED with requests, and had a max of 100 concurrent connections (maxed for about a week). This was running ProFTPD as well.
Alan - Vox
08-16-2002, 12:02 PM
umm, Dual 866mhz with 2gb ram. Of course it has to do its usual traffic as well.
akashik
08-16-2002, 04:00 PM
I don't think that's it. Back before we started /dev/null'ing the 'attack reports' that get e-mailed I used to see that all the time. That report got to close to 5 meg a day before I got tired of seeing it. Never a server problem to be seen that could be remotely attached to anything like that.

Greg Moore
Alan - Vox
08-16-2002, 04:35 PM
Did you get that kind of activity in only 4 seconds though?
akashik
08-16-2002, 04:50 PM
can't say for sure, but it sounds pretty familiar - I just dug out an old report, and found something similar. While it wasn't as long as what you've listed, it was as fast. Something I did notice was the odd probe for anonftp ports in the middle of it.

Sounds like a script just looking for a way in and not finding one.

The bulk of the report was port sentry, e-mail and 'lame server' notices.

Whatever it is you list I don't think it would (or should) crash a server.

Greg Moore
Alan - Vox
08-16-2002, 05:13 PM
Yeah, cant be that crashing the server. I just checked other servers and there is the same thing listed.
Faggle
08-16-2002, 05:25 PM
unless you have a few minutes worth of connection attempts it could just be someones ftp client trying to connect and auto-retry with no delay...
bitserve
08-16-2002, 10:48 PM
It does look some kind of DOS attack. :)

BTW: It's probably not a brute force password attack on FTP service. As far as I know, when the password is wrong with proftp, it is logged.

no such user 'user'

I'd also wager against it being an FTP client retrying because of a failure to connect. 33 attempts in one second?

It's hard to tell from your services log if they're hitting other ports too. I agree that this alone shouldn't be crashing the server, but who knows what else they're doing and what other services you have running, or what you mean by "crashing". You should block their IPs with a firewall rule or two, and report it to their ISP if you want.
dreamrae.com
08-16-2002, 11:20 PM
Looks like a cheap DoS attack, you should find the person and smack them just for using such a lame but affective method...
chrisb
08-18-2002, 04:11 AM
Alan, please post those long server logs as a link next time. Thanks.
Alan - Vox
08-18-2002, 08:13 AM
when did you become a mod chris?
XTStrike
08-18-2002, 09:32 AM
chrisb, good idea, maybe a link would be good next time, would certainly save alot of info being posted across 2 posts.
Nicholas Brown
08-19-2002, 10:47 AM
alan I also had the same thing in my logs - I just banned the IP from the server