I recently moved a customer's site to one of our servers. We kept the username & pwd the same.
I noticed in the logs that as soon as the domain pointed to the new location that there were ftp logins on that account from random locations from 1 country, the home country of the customer.
The logins were succesful until I changed the password for that account.
The strange thing is that every time only the login was made and then it would time out. No file transfers or anything. It seems like it was only a check to see if they could log in.
The login attempts for that user still continue (but now fail due to the changed password), every time from a different location (1 country) it seems.
I'm getting really curious what this could be. Maybe one of you have an idea?
Originally posted by alex-info Maybe it's an automated program checking to see if the FTP server is running ... something like SiteUptime but for FTP ?
That's what I thought in the beginning, but then I saw that the logins were coming from a different location every time.
I saw an attempt from a dialup account as well, I doubt that's a monitoring service
Maybe the username and password were given out to allow people to connect and download files, thereby avoiding the transfer allowance as from what I can tell most hosts don't actually include FTP traffic in the monthly allowance.
This customer doesn't have much knowledge of internet. He is certainly not into warez either
The password must have been distributed somehow though...
Maybe the customer had a trojan on this computer at some point in time, and the password was captured.
Maybe the computers that do the login attempts have trojans running on them as well, who knows
But what strikes me is the fact that each time only a login was made, nothing else. No file uploads/downloads, nothing at all.
If these were people looking for warez accounts I would expect files to be uploaded immediately.
I've seen odd things in my logs before but this I have no explanation for...