To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Good morning,
I have put the logs from my mailer and ftp-server
together with my router and VoIP:
Oct 5 12:09:34 voipd[406]: query_local_ipaddress: 62.227.220.143
netdate("Oct-5","23:38:06","time3 +0.234 Fri Oct 5 23:38:03.000").
xinetd_open("Oct-6","00:31:58","ftp","203.112.196.130").
ftp_connect("Oct-6","00:32:02","203.112.196.130").
ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
[Administrator]","Oct-6","00:32:03").
ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
failures","Oct-6","00:33:00").
xinetd_close("Oct-6","00:33:00","ftp").
xinetd_open("Oct-6","00:33:00","ftp","203.112.196.130").
ftp_connect("Oct-6","00:33:01","203.112.196.130").
ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
[Administrator]","Oct-6","00:33:02").
ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
[Administrator]","Oct-6","00:33:06").
ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
[Administrator]","Oct-6","00:33:13").
ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
failures","Oct-6","00:33:53").
xinetd_close("Oct-6","00:33:53","ftp").
xinetd_open("Oct-6","00:33:54","ftp","203.112.196.130").
...
xinetd_close("Oct-6","03:06:22","ftp").
xinetd_open("Oct-6","03:06:23","ftp","203.112.196.130").
ftp_connect("Oct-6","03:06:33","203.112.196.130").
ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
[Administrator]","Oct-6","03:06:34").
ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
[Administrator]","Oct-6","03:07:20").
ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
failures","Oct-6","03:07:36").
xinetd_close("Oct-6","03:07:36","ftp").
Oct 6 03:08:22 dsld[381]: EVENT(80): Die Internetverbindung wird kurz
unterbrochen, um der Zwangstrennung durch den Anbieter zuvorzukommen.
Oct 6 03:08:23 dsld[381]: Channel 0 closed (physical)
Oct 6 03:08:23 dsld[381]: internet: disconnected
Oct 6 03:08:23 dsld[381]: EVENT(23): Internetverbindung wurde getrennt.
Oct 6 03:08:24 multid[360]: ONLINE: now offline
Oct 6 03:08:24 voipd[406]: connstatus 5 -> 3
Oct 6 03:08:24 dsld[381]: internet: connecting
Oct 6 03:08:24 dsld[381]: internet: 00:04:0e:6d:8a:43
Oct 6 03:08:24 dsld[381]: internet: 00:04:0e:6d:8a:43
Oct 6 03:08:24 dsld[381]: PPP led: off (value=0)
Oct 6 03:08:24 dsld[381]: Channel 0 up (physical outgoing)
Oct 6 03:08:25 voipd[406]: connstatus 3 -> 4
Oct 6 03:08:25 dsld[381]: internet: set_snd_ipaddr: 62.227.245.7
Oct 6 03:08:25 dsld[381]: internet: connected
Oct 6 03:08:25 dsld[381]: PPP led: on (value=1)
Oct 6 03:08:25 dsld[381]: EVENT(22): Internetverbindung wurde erfolgreich
hergestellt. IP-Adresse: 62.227.245.7, DNS-Server: 217.237.150.51 und
217.237.148.22, Gateway: 217.0.116.228
Oct 6 03:08:26 multid[360]: DDNS: echnaton.serveftp.com: checking ip address
Oct 6 03:08:26 multid[360]: dns: echnaton.serveftp.com: query
Oct 6 03:08:26 multid[360]: ONLINE: now online 62.227.245.7
Oct 6 03:08:26 voipd[406]: connstatus 4 -> 5
netdate("Oct-6","03:38:05","time3 +0.290 Sat Oct 6 03:38:02.000").
netdate("Oct-6","04:38:04","time3 -0.754 Sat Oct 6 04:38:01.000").
xinetd_open("Oct-6","04:47:21","ftp","203.112.196.130").
ftp_connect("Oct-6","04:47:22","203.112.196.130").
ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
[Administrator]","Oct-6","04:47:22").
ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
[Administrator]","Oct-6","04:48:10").
ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
failures","Oct-6","04:48:28").
xinetd_close("Oct-6","04:48:28","ftp").
xinetd_open("Oct-6","04:48:31","ftp","203.112.196.130").
...
xinetd_close("Oct-6","04:56:37","ftp").
xinetd_open("Oct-6","04:56:41","ftp","203.112.196.130").
ftp_connect("Oct-6","04:56:45","203.112.196.130").
ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
[Administrator]","Oct-6","04:56:46").
ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
failures","Oct-6","04:57:40").
xinetd_close("Oct-6","04:57:40","ftp").
netdate("Oct-6","05:38:05","time3 +0.251 Sat Oct 6 05:38:02.000").
Interestingly enough the attack survived a DSL disconnect
and reconnect with changed IPv4 address.
The hole of 90 minutes suggests they did not follow me via DNS or SIP.
they only tried user [Administrator].
nmap says they have no ports open. I did not try the complicated things :)
Nothing suspicious in the exim (mailer) log.
No other addresses seen.
Kind regards
Peter and Karin
--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: [EMAIL PROTECTED]
mail: [EMAIL PROTECTED]
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
http://www.cesidianroot.com/
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
