SLUG Mailing List Archives
Re: [SLUG] Chinese intruder yesterday
- To: Jim Donovan <jimd@xxxxxxxxxxxxx>
- Subject: Re: [SLUG] Chinese intruder yesterday
- From: Jake Anderson <yahoo@xxxxxxxxxxxxxxx>
- Date: Fri, 14 Aug 2009 11:32:55 +1000
- Cc: slug@xxxxxxxxxxx
- User-agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:18.104.22.168) Gecko/20090715 Thunderbird/3.0b3
On 14/08/09 06:02, Jim Donovan wrote:
Quite some time ago I needed to FTP some stuff from outside to my
network, I was in a rush so I just turned on a FTP server (It was in
IIS, like i said, quite some time ago) with anon write access available
then promptly forgot to turn it off again 20 minutes later when I was
done with it. Anyway 2 weeks later I notice the internet is slow and
theres lots of bandwith in use.
I had port 22 open for a few hours yesterday but closed it when I noticed the following. He was evidently working from a list; most intruders seem content to try a few password guesses for root/guest/mysql etc. Many of his usernames seem pretty unlikely. Perhaps I should set up a honeypot account with audible alarm so I could see what he was upt to. Here are the first couple of lines he logged, followed by `uniq -c` of the rest.
Eventually I track down the FTP server is at fault, Turns out somebody
had "brute forced" my "anonymous" FTP server with 100,000 login attempts
before they tried anonymous.
One of them had uploaded Shaun of the dead for his buddies to download
(why I don't know, it was an optus cable connection, and at the time
upload speeds were something like 18kbps)
I thought, Oh well at least I got something out of it, I wanted to see
that and hadn't gotten around to it.
The bastards had uploaded it dubbed in FRENCH!
googling my IP address at the time turned up chat logs of them talking
about where my server was and how to get to it.
This is why I hate the French.