Results 1 to 2 of 2
Thread: Brute Force Attack on FTP
-
05-28-2005, 04:01 AM #1Junior Guru Wannabe
- Join Date
- Nov 2004
- Posts
- 31
Brute Force Attack on FTP
This is the proftpd report in my Logwatch :
proftpd-messages Begin
'hostname' (127.0.0.1[127.0.0.1]) - FTP login timed out,
disconnected
'hostname' (127.0.0.1[127.0.0.1]) - FTP no transfer timeout,
disconnected
'hostname' (127.0.0.1[127.0.0.1]) - FTP login timed out,
disconnected
xx.xx.xxx.232 (66.97.95.1[66.97.95.1]) - no such user 'look'
xx.xx.xxx.233 (66.97.95.1[66.97.95.1]) - no such user 'look'
xx.xx.xxx.231 (66.97.95.1[66.97.95.1]) - no such user 'look'
xx.xx.xxx.234 (66.97.95.1[66.97.95.1]) - no such user 'look'
xx.xx.xxx.238 (66.97.95.1[66.97.95.1]) - no such user 'look'
xx.xx.xxx.235 (66.97.95.1[66.97.95.1]) - no such user 'look'
xx.xx.xxx.232 (66.97.95.1[66.97.95.1]) - no such user 'user'
xx.xx.xxx.233 (66.97.95.1[66.97.95.1]) - no such user 'user'
xx.xx.xxx.231 (66.97.95.1[66.97.95.1]) - no such user 'user'
xx.xx.xxx.234 (66.97.95.1[66.97.95.1]) - no such user 'user'
xx.xx.xxx.238 (66.97.95.1[66.97.95.1]) - no such user 'user'
xx.xx.xxx.235 (66.97.95.1[66.97.95.1]) - no such user 'user'
'hostname' (66.97.95.1[66.97.95.1]) - no such user 'leech'
'hostname' (66.97.95.1[66.97.95.1]) - no such user 'leech'
'hostname' (66.97.95.1[66.97.95.1]) - no such user 'leech'
'hostname' (127.0.0.1[127.0.0.1]) - FTP login timed out,
disconnected
'hostname' (66.97.95.1[66.97.95.1]) - no such user 'admin'
'hostname' (66.97.95.1[66.97.95.1]) - no such user 'admin'
'hostname' (66.97.95.1[66.97.95.1]) - no such user 'admin'
'hostname' (127.0.0.1[127.0.0.1]) - FTP login timed out,
disconnected
'hostname' (127.0.0.1[127.0.0.1]) - FTP login timed out,
disconnected
Details of 66.97.95.1
Blacklist Status: Clear
Whois History: 3 records stored
Record Type: IP Address
IP Location: United States - Blue Mountain Internet
Reverse IP: Web server hosts 1 websites (reverse ip tool requires free login)
Reverse DNS: w1.bmi.net
1 domains found on 66.97.95.1
Showing all 1.
Website
Oddfellows.com
Looks like he has compromised a server...
The same person also tried to Brute Force into SSH but BFD took care of that. So what is he trying now and how do I stop him...
Thanks.
-
05-28-2005, 11:00 AM #2Aspiring Evangelist
- Join Date
- Apr 2002
- Location
- UK
- Posts
- 429
How do you know he's compromised the server? All I'm seeing in those messages is login attempts.
The best way to stop him is to add his IP to your firewall - that should do the trick.Regards, Gordon.
Rune Solutions: Fast, Efficient Remote Backup Service.