#1  
Old 21-December-2013, 18:09
snoozy's Avatar
snoozy snoozy is offline
Screamager
 
Join Date: May 2001
Location: oldgitshire
Posts: 381
Default What's going on here?

Someone at this address http://sixty one. thirty three. 142.146 is trying to access my FTP server using Administrator as user and trying to guess the password. It seems to be an automated attempt. It's been going on for hours - two or three attempts per second!

Putting the IP into a browser takes me to a flash website, which seems like a genuine commercial site.

Any ideas what is going on?

Last edited by snoozy; 21-December-2013 at 19:30. Reason: to break link
Reply With Quote
  #2  
Old 21-December-2013, 19:19
andrew's Avatar
andrew andrew is offline
Formerly exstreamuser
 
Join Date: Apr 2006
Posts: 177
Default Re: What's going on here?

Pretty obviously a dictionary attack from a Korean IP address. I'm surprised you have not just blocked the IP address.

It would be advisable to break that link in your post to prevent people clicking on it and perhaps becoming compromised. Get your server nailed down first though.
Reply With Quote
  #3  
Old 21-December-2013, 19:34
snoozy's Avatar
snoozy snoozy is offline
Screamager
 
Join Date: May 2001
Location: oldgitshire
Posts: 381
Default Re: What's going on here?

Pretty obviously a dictionary attack from a Korean IP address. I'm surprised you have not just blocked the IP address.

It would be advisable to break that link in your post to prevent people clicking on it and perhaps becoming compromised. Get your server nailed down first though.
Originally Posted by exstreamuser View Post
OK - broke the link. I don't have a user 'Administrator' so I don't think they can do anything? I just don't understand why what looks like a legit website would be doing this?
Reply With Quote
  #4  
Old 21-December-2013, 20:03
andrew's Avatar
andrew andrew is offline
Formerly exstreamuser
 
Join Date: Apr 2006
Posts: 177
Default Re: What's going on here?

It's an ISP, so there should not be a site at that address.

There may not be any risk but your server resources are being sapped, leaving less for bona-fide humans.

Maybe it is me but I just find this pretty normal stuff. My sites are under assault all the time, just the same as this one is right now. I just block the worst offenders off the server and move on.

Look at it another way, this bot knows there is a server there because it is responding. It's only a matter of time before a different username is tried. Bots do not tire.

By the sound of it, this is something new to you though, which I cannot figure if you have actually been running a server for a while. In that case, do you know how to block an IP address?

You must at least have access to .htaccess, even if you do not have firewall access.

Code:
<Limit GET HEAD POST>
order allow,deny
deny from 61.33.142.146
allow from all
</Limit>
You'd be much safer and better off looking up these IP addresses than trying to visit them with a browser too. If you had looked up that IP address, you would have found the company does not offer hosting and instead it is an ISP. This means that unless you are extremely prejudiced, you should not range-block and should only block the discrete IP address. Even if it were a hosting service, there can be more than one site per discrete IP address, so attempting to visit could lead to the wrong conclusion. Frankly, it is worrying that you saw a site there.

The IP address does not appear to have any previous history either, so either it is extremely new or you are being targeted for some reason. Also, bear in mind that this could be a compromised machine under control of another. The person behind this may or may not be in Korea.
Reply With Quote
  #5  
Old 21-December-2013, 20:06
snoozy's Avatar
snoozy snoozy is offline
Screamager
 
Join Date: May 2001
Location: oldgitshire
Posts: 381
Default Re: What's going on here?

OK - broke the link. I don't have a user 'Administrator' so I don't think they can do anything? I just don't understand why what looks like a legit website would be doing this?
Originally Posted by snoozy View Post
Mystery (partly) solved. I created an account an let it in to see what it would do..

RMD sarcaxxo

Apparently this has been going on for years and isn't a problem. Still don't understand why it would be launched from the website I mentioned though.
Reply With Quote
  #6  
Old 21-December-2013, 20:15
snoozy's Avatar
snoozy snoozy is offline
Screamager
 
Join Date: May 2001
Location: oldgitshire
Posts: 381
Default Re: What's going on here?

It's an ISP, so there should not be a site at that address.

There may not be any risk but your server resources are being sapped, leaving less for bona-fide humans.

Maybe it is me but I just find this pretty normal stuff. My sites are under assault all the time, just the same as this one is right now. I just block the worst offenders off the server and move on.

Look at it another way, this bot knows there is a server there because it is responding. It's only a matter of time before a different username is tried. Bots do not tire.

By the sound of it, this is something new to you though, which I cannot figure if you have actually been running a server for a while. In that case, do you know how to block an IP address?

You must at least have access to .htaccess, even if you do not have firewall access.

Code:
<Limit GET HEAD POST>
order allow,deny
deny from 61.33.142.146
allow from all
</Limit>
You'd be much safer and better off looking up these IP addresses than trying to visit them with a browser too. If you had looked up that IP address, you would have found the company does not offer hosting and instead it is an ISP. This means that unless you are extremely prejudiced, you should not range-block and should only block the discrete IP address. Even if it were a hosting service, there can be more than one site per discrete IP address, so attempting to visit could lead to the wrong conclusion. Frankly, it is worrying that you saw a site there.

The IP address does not appear to have any previous history either, so either it is extremely new or you are being targeted for some reason. Also, bear in mind that this could be a compromised machine under control of another. The person behind this may or may not be in Korea.
Originally Posted by exstreamuser View Post
Sorry didn't see this as I created my last post. Yes this is new to me - I just used a simple FTP server (xlite) which doesn't need installing to put up a few resources for students over the holidays. The scanning has stopped now after the attempt to remove a non-existent directory.

Thanks for your advice.
Reply With Quote
  #7  
Old 21-December-2013, 20:34
andrew's Avatar
andrew andrew is offline
Formerly exstreamuser
 
Join Date: Apr 2006
Posts: 177
Default Re: What's going on here?

http://www.xlightftpd.com/feature.htm
Deny or Allow IPs - It can deny or allow user's access by his ip address.
I'm afraid I don't know anything about it, so I looked it up. I would have thought DropBox or GoogleDrive would be preferable these days and let them take care of the security.

You can disregard the above reference to .htaccess as it would appear you can only run Xlight on Windows.
Reply With Quote
  #8  
Old 21-December-2013, 20:52
snoozy's Avatar
snoozy snoozy is offline
Screamager
 
Join Date: May 2001
Location: oldgitshire
Posts: 381
Default Re: What's going on here?

It does look pretty easy to block IPs or ranges. I will look into DropBox. I already use that with shared folders, but I don't know if it's possible to make read-only folders. The problem is the students need to be able to copy whole folders with sub folders.
Reply With Quote
  #9  
Old 21-December-2013, 21:38
andrew's Avatar
andrew andrew is offline
Formerly exstreamuser
 
Join Date: Apr 2006
Posts: 177
Default Re: What's going on here?

I'm not sure either and the documentation is a bit scarce.
Reply With Quote
  #10  
Old 21-December-2013, 23:01
RTI's Avatar
RTI RTI is offline
 
Join Date: Nov 2001
Posts: 210
Default Re: What's going on here?

If you want to preserve folder structures, don't forget the old friend WinZip....
Reply With Quote
  #11  
Old 25-December-2013, 22:16
snoozy's Avatar
snoozy snoozy is offline
Screamager
 
Join Date: May 2001
Location: oldgitshire
Posts: 381
Default Re: What's going on here?

If you want to preserve folder structures, don't forget the old friend WinZip....
Originally Posted by RTI View Post
Thanks - yes. That could be a solution .
Reply With Quote
Reply

Tags
company, feature, flash, isp, make, offer, security, sound, windows

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 03:42.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Copyright 1999-2014 The Scream!