Security Incidents mailing list archives

Re: 2300 FTP accesses from Korea

From: Dug Song <dugsong () monkey org>
Date: Mon, 18 Jun 2001 20:51:49 -0400

On Sun, Jun 17, 2001 at 10:48:41PM -0700, Gregory McCann wrote:

Our log files show that someone at two different Korean ip addresses
tried to access our ftp server (ProFTPD 1.2.0) over 2,300 times on
Saturday.  What's the point?  Attempted denial of service maybe?


check your logs to see if these were all attempted logins to a single
account. might be a simple FTP brute forcer, like ADMftpforce.

also, keep in mind that Korea has over *4 million* ADSL subscribers -
compare this to, say, Japan, with only about 40,000 subscribers, and
you'll understand why it's sometimes extremely difficult to find the
right person to follow up on an incident originating from there.

your best bet is probably to contact the CERTCC-KR, as noted here before:

        http://www.certcc.or.kr/certcc/cert-2.htm

further background on what may be the most wired (and wireless)
country on the planet, per capita:

        http://www.brinjal.com/madan/korea.htm

-d.

---
http://www.monkey.org/~dugsong/

Current thread:

Huge outgoing ICMP flows Vangelis Haniotakis (Jun 13)
- Re: Huge outgoing ICMP flows Trevor (Jun 13)
- Re: Huge outgoing ICMP flows Chris Ess (Jun 14)
  - Re: Huge outgoing ICMP flows Bryan Andersen (Jun 15)
    - Re: Huge outgoing ICMP flows Kurt Seifried (Jun 17)
    - 2300 FTP accesses from Korea Gregory McCann (Jun 18)
    - Re: 2300 FTP accesses from Korea ecofsky (Jun 18)
    - Re: 2300 FTP accesses from Korea Derek Kwan (Jun 18)
    - Re: 2300 FTP accesses from Korea Russell Fulton (Jun 18)
    - Re: 2300 FTP accesses from Korea Dug Song (Jun 18)
  - Re: Huge outgoing ICMP flows Gary Maltzen (Jun 19)
- Re: Huge outgoing ICMP flows Soeren Ziehe (Jun 15)
- <Possible follow-ups>
- Re: Huge outgoing ICMP flows Robert G. Ferrell (Jun 15)