[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] possible ftp attack??

Subject: RE: [cobalt-users] possible ftp attack??
From: "Sim Ayers" <sim@xxxxxxxxxxxx>
Date: Sat Oct 20 19:51:00 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> I was looking at my log files and found this in /var/log/secure:
>
> Oct 20 12:19:00 www proftpd[26204]: www.mydomain.com
> (AMontpellier-201-1-6-88.abo.wanadoo.fr[80.11.171.88]) - USER
> anonymous: no
> such user found from AMontpellier-201-1-6-88.abo.wanadoo.fr [80.11.171.88]
> to xxx.xxx.xxx.xxx:21
>
> The next line reads proftpd[26205], then a line for 06, all the way to a
> line for 15.
>
> Is this some sort of attack?  If so, what are some possible next steps?
>
> I found a second similar "attack".  If it is an attach, how can it be
> reported?
>

It's probably a Windows worm or virus

/var/log/messages is filled with the same FTP attack.

use this to see a list of unauthorized access attempts

grep "anonymous" /var/log/messages


Oct 12 11:35:39 admin proftpd[8132]:
(ca-ol-metz-3-252.abo.wanadoo.fr[213.56.248.252]) - USER anonymous (Login
failed): Can't find user.

Oct 18 18:26:15 admin proftpd[19587]:
(lns2-172.arc2.w.club-internet.fr[213.44.208.172]) - USER
anonymous@xxxxxxxxxxxxxxxxx (Login failed): Can't find user.


Here's the whois info on wanadoo.fr

inetnum:      195.6.74.0 - 195.6.81.255
netname:      FR-FTCI-20000427-1
descr:        France Telecom Cable Interactive
country:      FR
admin-c:      CL1478-RIPE
tech-c:       LT723-RIPE
tech-c:       OH251-RIPE
status:       ASSIGNED PA
remarks:      #######################################################
remarks:      For Hacking, Spamming or Security Problems send mail to
remarks:      abuse@xxxxxxxxxxxxxxxx AND abuse@xxxxxxxxxx
remarks:      #######################################################
notify:       addr-reg@xxxxxxx
mnt-by:       RAIN-TRANSPAC
changed:      karim@xxxxxxx 20001025
changed:      karim@xxxxxxx 20011015
source:       RIPE


domain:      club-internet.fr
descr:       T-ONLINE FRANCE
descr:       11 rue de Cambrai
descr:       75019 Paris
admin-c:     ACCI2-FRNIC
tech-c:      TCCI1-FRNIC
zone-c:      NFC1-FRNIC
nserver:     ns1.grolier.fr
nserver:     ns2.grolier.fr
mnt-by:      FR-NIC-MNT
mnt-lower:   FR-NIC-MNT
changed:     frnic-dbm-updates@xxxxxx 20010731
source:      FRNIC

There are lots of other ip address and domains attempting to login
anonymously but only
club-internet.fr is using anonymous@xxxxxxxxxxxxxxxxx

I suggest we all send and abuse email to abuse@xxxxxxxxxx for starters.

-Sim

Follow-Ups:
- RE: [cobalt-users] possible ftp attack??
  - From: Michael Tubbe

References:
- [cobalt-users] possible ftp attack??
  - From: Michael Tubbe

Prev by Date: Re: [cobalt-users] Re: Re: Changing "Return-Path" in PHP mail function - Help needed
Next by Date: [cobalt-users] defcon swatch messages troubleshooting...
Previous by thread: [cobalt-users] possible ftp attack??
Next by thread: RE: [cobalt-users] possible ftp attack??

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index