Under Attack! Uber 1337, (bored?), skiddie..
Excuse me while I pick myself up of the floor and stop laughing........
I was just about to go to lunch when I glimpsed at my real time IDS display to find some 600 events in the past few minutes, (I normally show < 100/hour). Looking a bit harder I see they are all attempts to connect to my FTP server.... I connect to the server and look at the connections... They are just flashing by..... I took a quick look at the logs and started to giggle..... Some skiddie was attempting to brute force a username/password combo..... A quick look at the usenames he was trying burst out laughing and went to lunch.... Which was a bad idea..... I should have put a packet dump on it too so I could see the passwords he was trying. I came back from lunch to find the silly bastige still trying......
He finally gave up but I thought some people might be interested in the "results".....
The "attack" lasted 2:12:04, (4324 seconds), during which time my friend had 10746 "cracks" at the server, (2.4 per second).
Now he wasn't entirely without resources. The attacks came simultaneously from nine IPs. I won't divulge the IPs themselves because these are clearly hacked boxes but the domains were as follows:-
w81-51.abo.wanadoo.fr
dclient.hispeed.ch
speed.planet.nl
w80-13.abo.wanadoo.fr
bb.netvision.net.il
dip.t-dialin.net
cust.bluewin.ch
wp.shawcable.net
w80-13.abo.wanadoo.fr
S/He attempted brute forcing the following list of usernames:-
ftp
anonymous
anonymous@ftp.microsoft.com:21
root
admin
demo
anonymous@ftp.microsoft.com 21
test
guest
webmaster
web
www
server
data
account
backup
access
sysadm
sysadmin
manager
Administrator
Administrador
Amministratore
Administrateur
Administratör
Beheerder
The log file itself is a little large, like 2 meg, but going through it this was a tool that he manually sets off. The different IP's would rotate these names and three or four IP's would be firing at once. When they reached the end of their run they would reappear a short time later trying a different name. It seems like he points the tool at an IP, gives it a short dictionary of popular passwords, (that's why I wished I wasn't laughing so hard and had thought to put Ethereal on it..... :o ), and then gives it a username to run the passwords against. As each run finished he would check the results, recycle the attack with a different username and unleash it again.
I don't think he did a lot of recon, (but I will be digging through the logs a bit more if he comes back), because he would clearly have seen I was in the USA so trying the logins at the bottom of the list indicates he either didn't know where I was or that he was getting a little frustrated.....
What makes me laugh though is his "stealthy" approach..... He might as well have called me to tell me what he was doing.... And how bored was he to sit there for over two hours trying to break my ftp server???? :rolleyes:
Interestingly enough, it started just after European schoolkids would have got home from school......
Does anyone think I should worry? :D