I just posted this in focus-linux a minute ago, looks the same:
>Hi guys,
>
>I'm fairly new to the lists so i hope i'm dropping it
>in the right one. ;-)
>
>Anyway,
>
>In my network there is a cobalt raq4 that is hosting several
>sites and today i noticed that in the last couple of days the
>number of connections shot through the roof. (Compared to usual ;) )
>
>When i take a look at the logs i noticed that someone
>is trying to login using an anonymous ftp account, which is,
>off course disabled.
>
>[log]
>Nov 25 10:37:53 koushaven proftpd[8479]: - FTP session opened.
>Nov 25 10:37:54 koushaven proftpd[8480]: - FTP session opened.
>Nov 25 10:37:54 koushaven proftpd[8481]: - FTP session opened.
>Nov 25 10:37:54 koushaven proftpd[8482]: - FTP session opened.
>Nov 25 10:37:54 koushaven proftpd[8484]: - FTP session opened.
>Nov 25 10:37:54 koushaven proftpd[8483]: - FTP session opened.
>Nov 25 10:37:54 koushaven proftpd[8485]: - FTP session opened.
>Nov 25 10:37:54 koushaven proftpd[8486]: - FTP session opened.
>Nov 25 10:37:55 koushaven proftpd[8487]: - FTP session opened.
>Nov 25 10:37:55 koushaven proftpd[8478]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8478]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8476]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8476]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8477]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8477]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8479]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8479]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8480]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8480]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8481]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8481]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8484]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8484]: - no such user 'anonymous'
>Nov 25 10:37:55 koushaven proftpd[8482]: - no such user 'anonymous'
>etc, etc, etc.
>[/log]
>
>This continues for a while, until:
>Nov 25 10:37:59 koushaven inetd[26588]: ftp/tcp server failing (looping),
service terminated
>
>After this, the procedure start all over again only this time the user is
>trying it from another IP adres.
>
>As i said, the cobalt is hosting several sites, each with their own IP.
>The user is also trying to use different IP's to log in with the anonymous
account.
>
>Any idea's?
>
>M. den Braber
>Kabelfoon/IGR
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Received on Tue Nov 26 16:40:01 2002
This archive was generated by hypermail 2.1.8
: Wed Aug 23 2006 - 14:01:52 EDT
|
