Tracking Down Outbound FTP Abuse

2 posts / 0 new
Last post
#1 Fri, 06/02/2017 - 14:37
webwzrd

Tracking Down Outbound FTP Abuse

My data center is alerting me about complaints that bruteforce FTP attacks are coming from my server. I don't get a lot of info to go on, but for the life of meI'm not finding anything and I'm hoping someone can give advice on how to proceed.

Here a sample of the attack records:

Note: Local timezone is +0200 (CEST) 2017-06-02 18:58:42,636 shared05.SERVER.de proftpd[7306] shared05.SERVER.de (server.MINE.org[65.60.xx.xxx]): FTP session opened. 2017-06-02 18:58:42,849 shared05.SERVER.de proftpd[7306] shared05.SERVER.de (server.MINE.org[65.60.xx.xxx]): USER spacebass: no such user found from server.MINE.org [65.60.xx.xxx] to ::ffff:62.141.xx.xxx:21

Any suggestion on how to track this down?

Fri, 06/02/2017 - 14:59
webwzrd

I discovered a malicious Python script had been installed that was causing the outbound attack. I was able to stop it and now for the cleanup.

Topic locked