FTP, Somebody is hacking my FTP

[kracksmith]

my FTP is always trying to be hacked but lucky i secured it enough so they can't upload or see what's in my ftp.

but there are alot of smart people out there that someday it they will get in.

i check my logs often enough so i have their IP address, then i check where they live. most attackers seem to be in germany and malaysia.

what else can i do with their IP address besides just pinging it??

Here is some of the log from this guy in malay.

can somebody here explain these logs of what he tried to do??

with all the "530"'s it probably meant denied right?



2004-12-30 11:24:41 203.115.228.178 ftp MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [12]USER ftp - 331 0 FTP - - - - 2004-12-30 11:24:41 203.115.228.178 - MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [12]PASS ftp@ftp.net - 530 1326 FTP - - - - 2004-12-30 11:24:43 203.115.228.178 anyone MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [13]USER anyone - 331 0 FTP - - - - 2004-12-30 11:24:43 203.115.228.178 - MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [13]PASS - - 530 1326 FTP - - - - 2004-12-30 11:24:44 203.115.228.178 root MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [14]USER root - 331 0 FTP - - - - 2004-12-30 11:24:44 203.115.228.178 admin MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [15]USER admin - 331 0 FTP - - - - 2004-12-30 11:24:44 203.115.228.178 - MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [14]PASS - - 530 1326 FTP - - - - 2004-12-30 11:24:44 203.115.228.178 webmaster MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [16]USER webmaster - 331 0 FTP - - - - 2004-12-30 11:24:44 203.115.228.178 - MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [15]PASS - - 530 1326 FTP - - - - 2004-12-30 11:24:44 203.115.228.178 user MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [17]USER user - 331 0 FTP - - - - 2004-12-30 11:24:44 203.115.228.178 - MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [16]PASS - - 530 1326 FTP - - - - 2004-12-30 11:24:44 203.115.228.178 test MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [18]USER test - 331 0 FTP - - - - 2004-12-30 11:24:44 203.115.228.178 - MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [17]PASS - - 530 1326 FTP - - - - 2004-12-30 11:24:45 203.115.228.178 web MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [19]USER web - 331 0 FTP - - - - 2004-12-30 11:24:45 203.115.228.178 - MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [18]PASS - - 530 1326 FTP - - - - 2004-12-30 11:24:45 203.115.228.178 www MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [20]USER www - 331 0 FTP - - - - 2004-12-30 11:24:45 203.115.228.178 - MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [19]PASS - - 530 1326 FTP - - - - 2004-12-30 11:24:45 203.115.228.178 administrator MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [22]USER administrator - 331 0 FTP - - - - 2004-12-30 11:24:45 203.115.228.178 root MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [21]USER root - 331 0 FTP - - - - 2004-12-30 11:24:45 203.115.228.178 - MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [20]PASS - - 530 1326 FTP - - - - 2004-12-30 11:24:45 203.115.228.178 admin MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [23]USER admin - 331 0 FTP - - - - 2004-12-30 11:24:45 203.115.228.178 oracle MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [24]USER oracle - 331 0 FTP - - - - 2004-12-30 11:24:45 203.115.228.178 - MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [22]PASS - - 530 1326 FTP - - - - 2004-12-30 11:24:45 203.115.228.178 - MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [21]PASS - - 530 1326 FTP - - - - 2004-12-30 11:24:45 203.115.228.178 sybase MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [25]USER sybase - 331 0 FTP - - - - 2004-12-30 11:24:45 203.115.228.178 - MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [23]PASS - - 530 1326 FTP - - - - 2004-12-30 11:24:45 203.115.228.178 - MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [24]PASS - - 530 1326 FTP - - - - 2004-12-30 11:24:45 203.115.228.178 user MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [27]USER user - 331 0 FTP - - - - 2004-12-30 11:24:45 203.115.228.178 webmaster MSFTPSVC1 MULTIMEDIA 192.168.0.203 21 [26]USER webmaster - 331 0 FTP - - - -

 

[s0me0ne]

First off people will be scanning your subnet forever. If its not to FXP guys trying to find a quick anony pub ftp with write access then its the "hackers" or mainly worms and so on. If your truly worryd about being hacked make sure your ftp server is patched and up to date check the internet for exploits (theres no way im posting links ) on that service so you know what there gunna hit you with. Firwall unwanted ports as needed. It looks like he might be trying to bruteforce your l/p ? thats the best I can come up with. Oh and I would recomend just leaving him alone because he might just be infected with a worm and you might get busted for hacking him back. Also he hasnt done anything yet right? leave it untill something larger happens... you could always check flumps.org find his subnet then contact his ISP and put in some abuse tickets. Thats always a fun option.