To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Good morning,
I have put the logs from my mailer and ftp-server together with my router and VoIP: Oct 5 12:09:34 voipd[406]: query_local_ipaddress: 62.227.220.143 netdate("Oct-5","23:38:06","time3 +0.234 Fri Oct 5 23:38:03.000"). xinetd_open("Oct-6","00:31:58","ftp","203.112.196.130"). ftp_connect("Oct-6","00:32:02","203.112.196.130"). ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator]","Oct-6","00:32:03"). ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication failures","Oct-6","00:33:00"). xinetd_close("Oct-6","00:33:00","ftp"). xinetd_open("Oct-6","00:33:00","ftp","203.112.196.130"). ftp_connect("Oct-6","00:33:01","203.112.196.130"). ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator]","Oct-6","00:33:02"). ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator]","Oct-6","00:33:06"). ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator]","Oct-6","00:33:13"). ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication failures","Oct-6","00:33:53"). xinetd_close("Oct-6","00:33:53","ftp"). xinetd_open("Oct-6","00:33:54","ftp","203.112.196.130"). ... xinetd_close("Oct-6","03:06:22","ftp"). xinetd_open("Oct-6","03:06:23","ftp","203.112.196.130"). ftp_connect("Oct-6","03:06:33","203.112.196.130"). ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator]","Oct-6","03:06:34"). ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator]","Oct-6","03:07:20"). ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication failures","Oct-6","03:07:36"). xinetd_close("Oct-6","03:07:36","ftp"). Oct 6 03:08:22 dsld[381]: EVENT(80): Die Internetverbindung wird kurz unterbrochen, um der Zwangstrennung durch den Anbieter zuvorzukommen. Oct 6 03:08:23 dsld[381]: Channel 0 closed (physical) Oct 6 03:08:23 dsld[381]: internet: disconnected Oct 6 03:08:23 dsld[381]: EVENT(23): Internetverbindung wurde getrennt. Oct 6 03:08:24 multid[360]: ONLINE: now offline Oct 6 03:08:24 voipd[406]: connstatus 5 -> 3 Oct 6 03:08:24 dsld[381]: internet: connecting Oct 6 03:08:24 dsld[381]: internet: 00:04:0e:6d:8a:43 Oct 6 03:08:24 dsld[381]: internet: 00:04:0e:6d:8a:43 Oct 6 03:08:24 dsld[381]: PPP led: off (value=0) Oct 6 03:08:24 dsld[381]: Channel 0 up (physical outgoing) Oct 6 03:08:25 voipd[406]: connstatus 3 -> 4 Oct 6 03:08:25 dsld[381]: internet: set_snd_ipaddr: 62.227.245.7 Oct 6 03:08:25 dsld[381]: internet: connected Oct 6 03:08:25 dsld[381]: PPP led: on (value=1) Oct 6 03:08:25 dsld[381]: EVENT(22): Internetverbindung wurde erfolgreich hergestellt. IP-Adresse: 62.227.245.7, DNS-Server: 217.237.150.51 und 217.237.148.22, Gateway: 217.0.116.228 Oct 6 03:08:26 multid[360]: DDNS: echnaton.serveftp.com: checking ip address Oct 6 03:08:26 multid[360]: dns: echnaton.serveftp.com: query Oct 6 03:08:26 multid[360]: ONLINE: now online 62.227.245.7 Oct 6 03:08:26 voipd[406]: connstatus 4 -> 5 netdate("Oct-6","03:38:05","time3 +0.290 Sat Oct 6 03:38:02.000"). netdate("Oct-6","04:38:04","time3 -0.754 Sat Oct 6 04:38:01.000"). xinetd_open("Oct-6","04:47:21","ftp","203.112.196.130"). ftp_connect("Oct-6","04:47:22","203.112.196.130"). ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator]","Oct-6","04:47:22"). ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator]","Oct-6","04:48:10"). ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication failures","Oct-6","04:48:28"). xinetd_close("Oct-6","04:48:28","ftp"). xinetd_open("Oct-6","04:48:31","ftp","203.112.196.130"). ... xinetd_close("Oct-6","04:56:37","ftp"). xinetd_open("Oct-6","04:56:41","ftp","203.112.196.130"). ftp_connect("Oct-6","04:56:45","203.112.196.130"). ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator]","Oct-6","04:56:46"). ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication failures","Oct-6","04:57:40"). xinetd_close("Oct-6","04:57:40","ftp"). netdate("Oct-6","05:38:05","time3 +0.251 Sat Oct 6 05:38:02.000"). Interestingly enough the attack survived a DSL disconnect and reconnect with changed IPv4 address. The hole of 90 minutes suggests they did not follow me via DNS or SIP. they only tried user [Administrator]. nmap says they have no ports open. I did not try the complicated things :) Nothing suspicious in the exim (mailer) log. No other addresses seen. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/ _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets