Damn FTP Bots!

naked proftpd # grep "no such user 'Administrator'" proftpd.system.log | wc -l
155526

I sooooo hate spambot infested Windows piece of crap machines ran by incompetent operators, and I hate spambot infested linux piece of crap machines ran by incompetent operators. For those of you who don’t read geek, the above says that 155,526 login attempts were made to my FTP server from the internet in just under two weeks. These were the ones attempting to login with the default ‘Administrator’ account that is commonly present in Windows machines.
Click for more linux networking geekyness.

These are systems that are compromised with adware, spambots, or ssh bots looking for exploitable FTP servers to store their crap on. End results for me? Less bandwidth at home (all these attempts, some coming several times a second), and a 200mb logfile full of IPs of exploited machines. Yay. Also the pure annoyance of having to sift through my daily reports which are full of ‘bad login from xx.xx.xx.xx’ messages, possibly hiding actual hack attempts.

Other common attempted usernames, with counts:


naked proftpd # grep “no such user ‘” proftpd.system.log | cut -f 11 -d ” ” | sort | uniq -c | sort -n |
[snip]
1305 ‘string’
2283 ‘domains’
2283 ‘free’
2283 ‘gustfloppy’
2283 ‘gustro’
2283 ‘hosting’
2283 ‘linux’
2283 ‘loading’
2283 ‘loging’
2283 ‘master’
2283 ‘me’
2283 ‘testroot’
2283 ‘tshirt’
2283 ‘undernet’
2283 ‘weapon’
2283 ‘wenpage’
2286 ‘irc’
2286 ‘password’
2286 ‘security’
2286 ‘seller’
3125 ‘Adm1n1strator’
4566 ‘Amanda’
4566 ‘Nicole’
4566 ‘Thomas’
4566 ‘julian’
4566 ‘tomy’
4569 ‘clark’
4569 ‘daniel’
4569 ‘james’
4569 ‘jason’
4569 ‘john’
4569 ‘justin’
4569 ‘linda’
4569 ‘luis’
4569 ‘mark’
4569 ‘matthew’
4569 ‘michelle’
4569 ‘mike’
4569 ‘robert’
4569 ‘tom’
6417 ‘andrew’
6849 ‘computer’
6849 ‘newuser’
6849 ‘tsinternetusers’
6852 ‘calvin’
6852 ‘charles’
6852 ‘jennifer’
6852 ‘paul’
6852 ‘steve’
7444 ‘tsinternetuser’
8135 ‘test’
8931 ‘admin’
56955 ‘Admin’
155526 ‘Administrator’

That snip is ignoring the 936 attempted usernames that only had 3 attempts on them and a couple of other username attempts that had under 1000 tries, mostly dictionary attacks starting with albert and ending with zackary.

A bit more shell magic (yea, I know, I can use AWK but I just aren’t as familiar with the syntax) to get the list of IPs and the attempts from them (again, ignoring the ones with less than 1000 attempts from them):


naked proftpd # grep “no such user ‘” proftpd.system.log | cut -d ” ” -f 7 | cut -d “[” -f 2 | cut -d “]” -f 1 | uniq -c | sort -nu
[snip]
1017 125.76.230.10
1026 85.193.30.252
1037 124.114.99.158
1107 85.193.30.252
1220 125.76.230.10
1585 125.76.230.10
2283 125.246.65.136
2287 211.184.102.65
2306 216.97.33.221
2922 218.4.155.229
2926 60.199.244.146
3342 218.28.47.206
5852 60.199.244.146
7504 211.94.33.184
9132 58.60.237.66
10430 212.204.122.200
24677 213.193.229.39
68490 65.111.169.75
101758 72.232.55.186
112884 64.15.155.138

I must say Mr. http://64.15.155.138/ certainly has a nice list of porn sites whose content he’s downloaded.

So a bit more shell magic to drop all those hosts into the firewall as a DROP rule:


naked proftpd # for i in “`grep “no such user ‘” proftpd.system.log | cut -d ” ” -f 7 | cut -d “[” -f 2 | cut -d “]” -f 1 | sort -u`” ; do iptables -A INPUT -s $i -j DROP ; done

Voila! 68 hosts now blocked in the firewall…. well, in theory, for some reason my iptables is bitching right now, but once that’s fixed that should work fine 🙂

Of course, a easier/better way is to use BlockHosts (gentoo instructions here) and it’ll automatically watch your log files for login attempts and after a threshold number of failures, it’ll nuke ’em.

Scroll to Top