• 0

Filezilla FTP Server - How can someone figure out what the accounts

Asked by AndyD,

 Share

Question

7 answers to this question

Recommended Posts

  • 0
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Yeah its fairly simple to try admin, root, testuser, billy, bobby, nobody, etc.. etc. They just run through the list trying random passwords as well.

Any ftp server you put on the net is going to see this noise.

What was this top secret username they found? - ftpuser? ;)

  • 0
Grand Master

n_K

Posted
Posted

For some reason the last half of my lastb log has no usernames or passwords :s but here's part of it to compare with;

aachu ssh:notty 122.55.83.138 Mon Aug 6 17:34 - 17:34 (00:00)

sales ssh:notty 211.155.233.147 Sun Aug 5 16:29 - 16:29 (00:00)

staff ssh:notty 211.155.233.147 Sun Aug 5 16:29 - 16:29 (00:00)

root ssh:notty 213.229.93.218 Sun Aug 5 13:31 - 13:31 (00:00)

root ssh:notty 184.105.154.38 Sun Aug 5 09:44 - 09:44 (00:00)

aaron ssh:notty 211.144.158.130 Fri Aug 3 14:20 - 14:20 (00:00)

root ssh:notty 31.222.158.83 Fri Aug 3 10:12 - 10:12 (00:00)

uucps ssh:notty 176.10.238.79 Thu Aug 2 07:34 - 07:34 (00:00)

root ssh:notty 86.140.51.159 Wed Aug 1 08:29 - 08:29 (00:00)

root ssh:notty 115.144.181.19 Wed Aug 1 01:37 - 01:37 (00:00)

root ssh:notty 203.162.163.160 Tue Jul 31 03:13 - 03:13 (00:00)

root ssh:notty 195.22.8.226 Tue Jul 31 02:45 - 02:45 (00:00)

root ssh:notty 119.254.88.100 Mon Jul 30 20:49 - 20:49 (00:00)

dpnroot ssh:notty 210.14.64.88 Mon Jul 30 14:34 - 14:34 (00:00)

root ssh:notty 210.14.64.88 Mon Jul 30 14:34 - 14:34 (00:00)

root ssh:notty 66.135.61.57 Sun Jul 29 11:52 - 11:52 (00:00)

root ssh:notty 210.14.64.68 Sun Jul 29 07:42 - 07:42 (00:00)

root ssh:notty 94.23.72.122 Sun Jul 29 00:40 - 00:40 (00:00)

root ssh:notty 213.206.86.210 Sat Jul 28 12:06 - 12:06 (00:00)

bin ssh:notty 213.206.86.210 Sat Jul 28 12:06 - 12:06 (00:00)

  • 0
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

what? See plenty of usernames there - sales, staff, root.

Where did you pull those logs? Yeah they can go on for hundreds if not thousands of attempts from the same IP. Which is why you normally don't allow username password auth on something you want to secure - unless your going to lock it down to source IP.

my ssh server is locked to public key auth only. And sshguard kills them after 4 attempts anyway to keep the logs cleaner.

Oct  1 00:15:43 ubuntu sshguard[1219]: Blocking 200.141.223.78:4 for >630secs: 40 danger in 4 attacks over 4 seconds (all: 40d in 1 abuses over 4s).
Oct  2 05:16:21 ubuntu sshguard[1219]: Blocking 211.155.229.103:4 for >630secs: 40 danger in 4 attacks over 1167 seconds (all: 40d in 1 abuses over 1167s).
Oct  2 10:37:04 ubuntu sshguard[1219]: Blocking 98.126.49.26:4 for >630secs: 40 danger in 4 attacks over 2 seconds (all: 40d in 1 abuses over 2s).
Oct  2 12:04:59 ubuntu sshguard[1219]: Blocking 211.144.158.130:4 for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 abuses over 9s).
Oct  3 03:14:46 ubuntu sshguard[1219]: Blocking 187.5.66.12:4 for >630secs: 40 danger in 4 attacks over 39 seconds (all: 40d in 1 abuses over 39s).
Oct  3 15:34:39 ubuntu sshguard[1219]: Blocking 194.65.138.9:4 for >630secs: 40 danger in 4 attacks over 186 seconds (all: 40d in 1 abuses over 186s).
Oct  4 07:08:48 ubuntu sshguard[1219]: Blocking 210.118.169.5:4 for >630secs: 40 danger in 4 attacks over 26 seconds (all: 40d in 1 abuses over 26s).
Oct  4 08:24:41 ubuntu sshguard[1219]: Blocking 189.26.255.11:4 for >630secs: 40 danger in 4 attacks over 1 seconds (all: 40d in 1 abuses over 1s).
Oct  4 08:58:46 ubuntu sshguard[1219]: Blocking 91.205.189.15:4 for >630secs: 40 danger in 4 attacks over 5 seconds (all: 40d in 1 abuses over 5s).
Oct  4 10:00:21 ubuntu sshguard[1219]: Blocking 201.83.151.207:4 for >630secs: 40 danger in 4 attacks over 171 seconds (all: 40d in 1 abuses over 171s).

  • 0
Grand Master

n_K

Posted
Posted

My server :p

I've got sshguard on but it isn't actually active because the traffics redirected to SNORT instead and I still haven't worked out how to reinject certain SNORT packets back into iptables to sshguard :/ although SNORT does seem to block access for about 20 minutes if more than 2 connections in that time happen, again not really sure why it does that but I'm fine with it doing that haha.

This topic is now closed to further replies.
 Share
Go to question listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Tidal won't monetize AI slop music, company says

      By monterxz · Posted

      I've been on Deezer for over a decade, but glad that Tidal joined them in fighting AI slop. Can't stand such takes as Spotify's: "Spotify's CEO recently pushed back against listeners who call AI music "slop," urging people to stop using the term and instead embrace the creative potential of AI music."
    • Why it's almost impossible to produce a smartphone in the United States

      By Cosmocronos · Posted

      “Could” … in the IS the healthcare is run by insurance companies that make indecent profits denying basic treatments to people that are paying money for nothing. Besides, where are all the Trump epigones who were stating that the tariffs were going to paid by foreign companies and not the US citizens? …
    • Microsoft Teams gets smarter at spotting sneaky meeting bots

      By Usama Jawad96 · Posted

      Microsoft Teams gets smarter at spotting sneaky meeting bots by Usama Jawad Microsoft Teams is set to receive a couple of new features soon, including a dedicated Recap app and a rather controversial location tracking functionality. The Redmond tech giant has also explained how it has made online communication and collaboration a lot more performant this year. Now, the company has detailed more secure bot admission mechanisms, as first reported by us in March 2026, and now available in Teams. As the use of AI has expanded across enterprise environments, Microsoft has begun allowing users to integrate bots into their meetings for various tasks, such as note-taking. While this has a tangible productivity benefit for users, Microsoft has highlighted how misconfiguration has allowed bots to join meetings that they shouldn't. This has created security and privacy risks, which Microsoft is now combating using a new Teams admin policy that allows organizers to control how external bots access meetings. Admins can leverage a policy called Manage external bots and their access to meetings. The default configuration is "When detected, require approval before joining", which places detected bots in a lobby before they are explicitly admitted into the meeting. The other option disables the experience. Microsoft has also requested admins to only allow organizers and co-organizers to manage access to a meeting, so that other people don't randomly allow bots into meetings. Teams will now be able to leverage infrastructure signals to intelligently detect and distinguish between bots and humans. Microsoft will soon also trial a registration experience for independent software vendors (ISVs) to build a system that registers a bot with Microsoft, so it is marked as a "known" bot. Teams will also categorize bots as trusted and suspected threats so that organizers can quickly identify which bots they want to allow into a meeting. Additional safeguards to block accidental admission of a bot into a meeting include: No one-click Admit option for identified bots Confirmation prompts when admitting participants that include bots Warnings when organizers choose Admit all, and bots are included Microsoft has begun rolling out this experience, and it will be retiring the current CAPTCHA verification implementation. In the future, the company plans to roll out new capabilities like allow-lists, organization-wide policies, admin reports, audit logs, and more granular controls.
    • Bypassed Windows 11 shows surprising stability on ancient, completely unsupported hardware

      By +Warwagon · Posted

      With the current hardware prices Microsoft should lift the restriction. Then if you have the correct TPM then allow you to use X feature, if you don't have the correct TPM then don't but still actually let you run windows. 11. With a disclaimer during install that X features would be unavailable.
    • Meta is reusing old DDR4 RAM in its servers instead of buying new hardware

      By C:Amie · Posted

      It's good for recycling of course. But commence inflation of a second hand RAM bubble and price gouging on DDR 4 inventory in 3... 2... 1...

  • Recent Achievements

    • Reacting Well
      NovaEdgeX earned a badge
      Reacting Well
    • Week One Done
      NovaEdgeX earned a badge
      Week One Done
    • One Year In
      BA the Curmudgeon earned a badge
      One Year In
    • Conversation Starter
      rosiecharles earned a badge
      Conversation Starter
    • First Post
      KMilenkoski1202 earned a badge
      First Post

  • Popular Contributors

    1. 1
      +primortal
      538
    2. 2
      +Edouard
      266
    3. 3
      PsYcHoKiLLa
      151
    4. 4
      Steven P.
      98
    5. 5
      macoman
      66
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!