Tracking Down Outbound FTP Abuse

2 posts / 0 new
Last post
#1 Fri, 06/02/2017 - 14:37

Tracking Down Outbound FTP Abuse

My data center is alerting me about complaints that bruteforce FTP attacks are coming from my server. I don't get a lot of info to go on, but for the life of meI'm not finding anything and I'm hoping someone can give advice on how to proceed.

Here a sample of the attack records:

Note: Local timezone is +0200 (CEST) 2017-06-02 18:58:42,636 proftpd[7306] ([]): FTP session opened. 2017-06-02 18:58:42,849 proftpd[7306] ([]): USER spacebass: no such user found from [] to

Any suggestion on how to track this down?

Fri, 06/02/2017 - 14:59

I discovered a malicious Python script had been installed that was causing the outbound attack. I was able to stop it and now for the cleanup.

Topic locked