I recently had an FTP attack where 3 files were copied into public HTML directory of my domain. (It looks like the FTP password was compromised, but I'm still investigating this.) The strange thing is that the FTP log documented 5 separate IP addresses that were involved in the same attack. I checked the IPs shown in the log extract below. According to http://www.all-nettools.com/toolbox/smart-whois.php the IPs originate in Austria, Poland, Brazil, Israel and Sweden.
The 3 offending files are "mickey66.html", "mickey66.jpg", and "canopy37.html", – theyand you can see them in the log extra…
2010-06-17T21:24:02.073070+01:00 webserver pure-ftpd: (?@190.20.76.74) [INFO] kingdom is now logged in
2010-06-17T21:24:06.632472+01:00 webserver pure-ftpd: (?@77.250.141.158) [INFO] kingdom is now logged in
2010-06-17T21:24:07.216924+01:00 webserver pure-ftpd: (kingdom@77.250.141.158) [NOTICE] /home/kingdom//public_html/mickey66.html uploaded (80 bytes, 0.26KB/sec)
2010-06-17T21:24:07.364313+01:00 webserver pure-ftpd: (kingdom@77.250.141.158) [INFO] Logout.
2010-06-17T21:24:08.711231+01:00 webserver pure-ftpd: (?@78.88.175.77) [INFO] kingdom is now logged in
2010-06-17T21:24:10.720315+01:00 webserver pure-ftpd: (kingdom@78.88.175.77) [NOTICE] /home/kingdom//public_html/mickey66.jpg uploaded (40835 bytes, 35.90KB/sec)
2010-06-17T21:24:10.848782+01:00 webserver pure-ftpd: (kingdom@78.88.175.77) [INFO] Logout.
2010-06-17T21:24:18.528074+01:00 webserver pure-ftpd: (kingdom@190.20.76.74) [INFO] Logout.
2010-06-17T21:24:22.023673+01:00 webserver pure-ftpd: (?@85.130.254.227) [INFO] kingdom is now logged in
2010-06-17T21:24:23.470817+01:00 webserver pure-ftpd: (kingdom@85.130.254.227) [NOTICE] /home/kingdom//public_html/mickey66.html uploaded (80 bytes, 0.38KB/sec)
2010-06-17T21:24:23.655023+01:00 webserver pure-ftpd: (kingdom@85.130.254.227) [INFO] Logout.
2010-06-17T21:24:26.249887+01:00 webserver pure-ftpd: (?@95.209.254.137) [INFO] kingdom is now logged in
2010-06-17T21:24:28.461310+01:00 webserver pure-ftpd: (kingdom@95.209.254.137) [NOTICE] /home/kingdom//public_html/canopy37.html uploaded (80 bytes, 0.26KB/sec)
2010-06-17T21:24:28.760513+01:00 webserver pure-ftpd: (kingdom@95.209.254.137) [INFO] Logout.
I don't know what user is represented by the query sign (?), is this 'root'. Anyway can anyone shed any light on all this?
Best Answer
A very small bot-net? ;-)
Likely to be coming from other compromised machines, rather than from the kiddies own IP.
Have a look at fail2ban and denyhosts.
Mind you, FTP is a terrible service to be running unless you really really need to. Subversion or similar is a better way of maintaining a website, at least use secure copy over SSH if you need to do unversioned uploads.