-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I also seen since July 22nd, bruteforce login attempts on ftpd (proftpd) from same ip ranges. And like you some attempts in sshd. The difference between them is that for sshd used users are same as yours, but for ftpd they used a usernames dictionary (with hundreds of users, what patience ;) ). Anyone noticed some similar?
Jul 22 21:23:06 www0 proftpd[4447]: myhost (61.109.251.191[61.109.251.191]) - USER invaliduserinvalid: no such user found from 61.109.251.191 [61.109.251.191] to 82.130.240.230:21 Jul 22 21:23:08 www0 proftpd[4448]: myhost (61.109.251.191[61.109.251.191]) - USER board: no such user found from 61.109.251.191 [61.109.251.191] to 82.130.240.230:21 Jul 22 21:23:10 www0 proftpd[4449]: myhost (61.109.251.191[61.109.251.191]) - USER btraining: no such user found from 61.109.251.191 [61.109.251.191] to 82.130.240.230:21 Jul 22 21:23:12 www0 proftpd[4451]: myhost (61.109.251.191[61.109.251.191]) - USER distros: no such user found from 61.109.251.191 [61.109.251.191] to 82.130.240.230:21 Jul 22 21:23:14 www0 proftpd[4452]: myhost (61.109.251.191[61.109.251.191]) - USER forge4os: no such user found from 61.109.251.191 [61.109.251.191] to 82.130.240.230:21 Jul 22 21:23:16 www0 proftpd[4453]: myhost (61.109.251.191[61.109.251.191]) - USER licentia: no such user found from 61.109.251.191 [61.109.251.191] to 82.130.240.230:21 Jul 22 21:23:18 www0 proftpd[4454]: myhost (61.109.251.191[61.109.251.191]) - USER linuxnews: no such user found from 61.109.251.191 [61.109.251.191] to 82.130.240.230:21 Jul 22 21:23:20 www0 proftpd[4455]: myhost (61.109.251.191[61.109.251.191]) - USER localgforge: no such user found from 61.109.251.191 [61.109.251.191] to 82.130.240.230:21 Jul 22 21:23:22 www0 proftpd[4456]: myhost (61.109.251.191[61.109.251.191]) - USER metalist: no such user found from 61.109.251.191 [61.109.251.191] to 82.130.240.230:21 Jul 22 21:23:25 www0 proftpd[4457]: myhost (61.109.251.191[61.109.251.191]) - USER myos: no such user found from 61.109.251.191 [61.109.251.191] to 82.130.240.230:21 Jul 22 21:23:27 www0 proftpd[4458]: myhost (61.109.251.191[61.109.251.191]) - USER newsadmin: no such user found from 61.109.251.191 [61.109.251.191] to 82.130.240.230:21 Jul 22 21:23:29 www0 proftpd[4459]: myhost (61.109.251.191[61.109.251.191]) - USER osgitestbed: no such user found from 61.109.251.191 [61.109.251.191] to 82.130.240.230:21 Jul 22 21:23:31 www0 proftpd[4463]: myhost (61.109.251.191[61.109.251.191]) - USER ossnews: no such user found from 61.109.251.191 [61.109.251.191] to 82.130.240.230:21 Jul 22 21:23:34 www0 proftpd[4464]: myhost (61.109.251.191[61.109.251.191]) - USER osync: no such user found from 61.109.251.191 [61.109.251.191] to 82.130.240.230:21 Jul 22 21:23:36 www0 proftpd[4465]: myhost (61.109.251.191[61.109.251.191]) - USER peerrating: no such user found from 61.109.251.191 [61.109.251.191] to 82.130.240.230:21 Jul 22 21:23:38 www0 proftpd[4466]: myhost (61.109.251.191[61.109.251.191]) - USER resolvit: no such user found from 61.109.251.191 [61.109.251.191] to 82.130.240.230:21 Jul 22 21:23:40 www0 proftpd[4467]: myhost (61.109.251.191[61.109.251.191]) - USER siteadmin: no such user found from 61.109.251.191 [61.109.251.191] to 82.130.240.230:21 - -- un saludo, Alain Crespo <[EMAIL PROTECTED]> _,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_ Why use Windows, since there is a door? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBCDqYP3/+R0rF2wkRAtW3AJ963dd6X7Nf17ZjRV/IDcb3DX4GfQCgjkD4 dbK+EryHfYKhIQDcaYMMiec= =zLQW -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
