[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] slow, deliberate ftp probes
- From: Bil Corry <bil@xxxxxxxxx>
- Subject: Re: [WEB SECURITY] slow, deliberate ftp probes
- Date: Wed, 16 Jul 2008 23:39:00 -0500
Greg wrote on 7/16/2008 10:39 PM:
We host quite a few websites, and as an avid log watcher, I am
curious if anyone else has noticed deliberate, meticulous but quiet
FTP probes recently. For example, the "probes" seem to utilize a
domain name as a user name - say, that we host "xyz.com" - the FTP
probes use "xyz" as the user name, and only make one attempt at a
time.
These "probes" occur at random time intervals and from a variety of
IP's worldwide. And since the timimg is so random, it's hard to
believe that is could be a bot. In fact, they are so random as to
purposely not raise any red flags. In over 9 years of hosting, this
is a first time I've ever seen anything so deliberate and meticulous.
Sounds very similar to this:
-----
Sysadmins have begun noticing a coordinated attack on servers with open SSH ports that tries to stay under the radar by only attempting to guess a password three times from any compromised machine. Instead of mounting an attack form a single compromised host, hackers have worked out a means to relay a brute force attack between multiple assault machines.
<http://www.theregister.co.uk/2008/07/14/brute_force_ssh_attack/>
-----
You might email the author of the article and see if he's aware of your issue as well.
- Bil
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Brought to you by http://www.webappsec.org
Search this site
|