I have been noticing a flood of ftp attempts to various servers on our
network recently. Its typically from some dialup / dynamic IP and it
tries to ftp in to one of my machines as fast as it can with as many
connections as possible using a fixed ranges of usernames
e.g. in a 2hr period,
grep "FTP LOGIN FAILED" /var/log/authentic | awk '{print $11}' | sort
| uniq -c | sort -nr
293 manager
290 public
289 private
286 default
262 security
237 1234qwer
218 123qwe
214 user
213 super
209 123456
197 000000
192 Internet
156 abcd
143 abc123
115 abc
106 1234567
104 123abc
102 88888888
95 password
93 asdfgh
88 computer
84 5201314
83 00000000
79 !@#$%^&*()
77 654321
76 888888
73 123asd
71 11111
71 !@#$%^&*
68 passwd
64 !@#$%^&*(
61 111111
58 asdf
57 sql
57 database
51 111
49 !@#$%
45 pass
45 !@#$
43 54321
42 server
42 !@#$%^
35 sybase
34 oracle
34 12345678
34 1
31 secret
27 test
27 11111111
18 admin
15 anyone
10 !@#$%^&
This looks a lot like http://www.f-secure.com/v-descs/muma.shtml but I
have not been able to find a description/variant that uses ftp. Is
this a new version of muma ? Or just some worm / virus that uses the
same list of users.
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html