Thread: anonFTP hack?

    #1
  1. /dev/null Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2002
    Posts
    34
    Rep Power
    12

    anonFTP hack?


    What is this guy trying to do?

    host (172.130.30.145[172.130.30.145]) - FTP session opened.
    host (172.130.30.145[172.130.30.145]) - no such user 'anonymous'
    host (172.130.30.145[172.130.30.145]) - no such user 'anonymous'
    host (172.130.30.145[172.130.30.145]) - no such user 'anonymous'
    host (172.130.30.145[172.130.30.145]) - no such user 'anonymous'
    host (172.130.30.145[172.130.30.145]) - no such user 'anonymous'
    host (172.130.30.145[172.130.30.145]) - FTP session closed.
    host (172.130.30.145[172.130.30.145]) - FTP session opened.
    host (172.130.30.145[172.130.30.145]) - no such user 'anonymous'
    host (172.130.30.145[172.130.30.145]) - no such user 'anonymous'
    host (172.130.30.145[172.130.30.145]) - no such user 'anonymous'
    host (172.130.30.145[172.130.30.145]) - no such user 'anonymous'
    host (172.130.30.145[172.130.30.145]) - no such user 'anonymous'
    host (172.130.30.145[172.130.30.145]) - FTP session closed.
    host (172.130.30.145[172.130.30.145]) - FTP session opened.
    host (172.130.30.145[172.130.30.145]) - no such user 'anonymous'
    host (172.130.30.145[172.130.30.145]) - no such user 'anonymous'
    host (172.130.30.145[172.130.30.145]) - no such user 'anonymous'
    host (172.130.30.145[172.130.30.145]) - no such user 'anonymous'
    host (172.130.30.145[172.130.30.145]) - no such user 'anonymous'
    host (172.130.30.145[172.130.30.145]) - FTP session closed.
    host (172.130.30.145[172.130.30.145]) - FTP session opened.
    host (172.130.30.145[172.130.30.145]) - no such user 'anonymous'
    host (172.130.30.145[172.130.30.145]) - no such user 'anonymous'
    host (172.130.30.145[172.130.30.145]) - no such user 'anonymous'
    host (172.130.30.145[172.130.30.145]) - no such user 'anonymous'
    host (172.130.30.145[172.130.30.145]) - no such user 'anonymous'
    host (172.130.30.145[172.130.30.145]) - FTP session closed.
    Anyway to monitor this or block this IP?
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2003
    Posts
    164
    Rep Power
    12
    Hes just trying to log onto the ftp server without a valid username or password, as your log shows, anonymous access isnt allowed on the server so he hasnt been getting in
    So nothing here really to worry about,

    If you really want to block him you can do but he could be on a dynamic IP so if he comes back a day or two later trying to login then his IP could be different and your block will be useless

    Hes not getting in with an anymous account so nothing to worry about, just look through and make sure hes not trying to get in (with same IP) using other account names, example - look for

    host (172.130.30.145[172.130.30.145]) - no such user 'fred'

    If you start seeing thigs such as that, and if there are a large number of them then you might want to think about taking action cause he could be trying a brute force attack to try and get a valid un/pwd combo
    One way to make this hard for him is to make sure none of the accounts on the ftp server have weak username and passwd combinations - set a minimum character lenght on aco**** creation and try and get people to use upper/lowercase mix aswell as numbers and other misc characters

    All the best
  4. #3
  5. /dev/null Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2002
    Posts
    34
    Rep Power
    12
    Thanks for the info.. Is there a way to issue a "timeout" period for someone with too many failures?

    For example, I found this guy today:
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session opened.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    host (62.118.53.22[62.118.53.22]) - FTP session closed.
    Sorry for all the text, just wanted to make the point. Seems like brute force to me. If I could set a temporary time-out period for say, an hour, after "x" number of failed attempts, I think that could help.

    -jp
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2003
    Posts
    164
    Rep Power
    12
    You can normally tell a brute force from the time stamps, if there all rediculasly close together and theres a big list like the one above (well normally bigger) then you can tell its a brute attack

    As to the timeout question, not sure what ftp server software your using, but this is something that is possible

    What ftp software are you using ?

    Also, turning on timestamps in your config might help figure out if it is actually a brute force or just someone who has a real problem remembering there password : )

    (if you run a large server (with alot of users) these timestamps will increase log file sizes so take this into account, if it is a big server you might just want to enable timestamps just for a day or so for monitoring purposes)

    All the best

IMN logo majestic logo threadwatch logo seochat tools logo