From: AJ McKee (aj at domain nevermindthebollox.com)
Date: Fri 19 Apr 2002 - 12:59:41 IST
Have not heard of anything like this yet Niall but will search after lunch.
That being said, yes my logs are full of same type connections however it
does not restart itself. Seems fine.
Most probably a port scanner searching for exploits.
Aj
-----Original Message-----
From: ilug-admin at domain linux.ie [mailto:ilug-admin at domain linux.ie]On Behalf Of Niall
O Broin
Sent: 19 April 2002 11:24
To: ilug at domain linux.ie
Subject: [ILUG] PureFTPd DOS attack ?
Did anyone hear of anything like this recently ? I have a couple of boxes
running PureFTPD and this morning one of them went off the air - could be
pinged but nothing else. Luckily this box is one that I can get somebody to
reset easily so I did so and had a look in messages and saw this
Apr 19 08:19:47 pumori -- MARK --
Apr 19 08:39:47 pumori -- MARK --
Apr 19 08:41:38 pumori pure-ftpd: (? at domain ip-165-238.evhr.net) \
[INFO] New connection from ip-165-238.evhr.net
Apr 19 08:41:38 pumori pure-ftpd: (? at domain ip-165-238.evhr.net) \
[WARNING] Authentication failed for user [anonymous at domain ftp.microsoft.com]
Apr 19 08:41:41 pumori pure-ftpd: (? at domain ip-165-238.evhr.net) \
[INFO] Logout - CPU time spent: 0.010 seconds.
Apr 19 10:27:19 pumori syslogd 1.4.1: restart.
Looks like pure-ftpd just rejected a connection from what was obvioulsy
somebody who had no business being there, and then nothing more in messages
until we pressed the reset button. Could of course be a coincidence but . .
.
Niall
-- Irish Linux Users' Group: ilug at domain linux.ie http://www.linux.ie/mailman/listinfo/ilug for (un)subscription information. List maintainer: listmaster at domain linux.ie
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:16:14 GMT