Results 1 to 2 of 2
  1. #1
    Join Date
    Nov 2004
    Posts
    31

    Brute Force Attack on FTP

    This is the proftpd report in my Logwatch :

    proftpd-messages Begin

    'hostname' (127.0.0.1[127.0.0.1]) - FTP login timed out,
    disconnected
    'hostname' (127.0.0.1[127.0.0.1]) - FTP no transfer timeout,
    disconnected
    'hostname' (127.0.0.1[127.0.0.1]) - FTP login timed out,
    disconnected
    xx.xx.xxx.232 (66.97.95.1[66.97.95.1]) - no such user 'look'
    xx.xx.xxx.233 (66.97.95.1[66.97.95.1]) - no such user 'look'
    xx.xx.xxx.231 (66.97.95.1[66.97.95.1]) - no such user 'look'
    xx.xx.xxx.234 (66.97.95.1[66.97.95.1]) - no such user 'look'
    xx.xx.xxx.238 (66.97.95.1[66.97.95.1]) - no such user 'look'
    xx.xx.xxx.235 (66.97.95.1[66.97.95.1]) - no such user 'look'
    xx.xx.xxx.232 (66.97.95.1[66.97.95.1]) - no such user 'user'
    xx.xx.xxx.233 (66.97.95.1[66.97.95.1]) - no such user 'user'
    xx.xx.xxx.231 (66.97.95.1[66.97.95.1]) - no such user 'user'
    xx.xx.xxx.234 (66.97.95.1[66.97.95.1]) - no such user 'user'
    xx.xx.xxx.238 (66.97.95.1[66.97.95.1]) - no such user 'user'
    xx.xx.xxx.235 (66.97.95.1[66.97.95.1]) - no such user 'user'
    'hostname' (66.97.95.1[66.97.95.1]) - no such user 'leech'
    'hostname' (66.97.95.1[66.97.95.1]) - no such user 'leech'
    'hostname' (66.97.95.1[66.97.95.1]) - no such user 'leech'
    'hostname' (127.0.0.1[127.0.0.1]) - FTP login timed out,
    disconnected
    'hostname' (66.97.95.1[66.97.95.1]) - no such user 'admin'
    'hostname' (66.97.95.1[66.97.95.1]) - no such user 'admin'
    'hostname' (66.97.95.1[66.97.95.1]) - no such user 'admin'
    'hostname' (127.0.0.1[127.0.0.1]) - FTP login timed out,
    disconnected
    'hostname' (127.0.0.1[127.0.0.1]) - FTP login timed out,
    disconnected


    Details of 66.97.95.1
    Blacklist Status: Clear
    Whois History: 3 records stored
    Record Type: IP Address
    IP Location: United States - Blue Mountain Internet
    Reverse IP: Web server hosts 1 websites (reverse ip tool requires free login)
    Reverse DNS: w1.bmi.net

    1 domains found on 66.97.95.1
    Showing all 1.

    Website
    Oddfellows.com

    Looks like he has compromised a server...

    The same person also tried to Brute Force into SSH but BFD took care of that. So what is he trying now and how do I stop him...

    Thanks.

  2. #2
    Join Date
    Apr 2002
    Location
    UK
    Posts
    429
    How do you know he's compromised the server? All I'm seeing in those messages is login attempts.

    The best way to stop him is to add his IP to your firewall - that should do the trick.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •