I recently had an FTP attack where 3 files were copied into public HTML directory of my domain. (It looks like the FTP password was compromised, but I'm still investigating this.) The strange thing is that the FTP log documented 5 separate IP addresses that were involved in the same attack. I checked the IPs shown in the log extract below. According to http://www.all-nettools.com/toolbox/smart-whois.php the IPs originate in Austria, Poland, Brazil, Israel and Sweden.
The 3 offending files are "mickey66.html", "mickey66.jpg", and "canopy37.html", - theyand you can see them in the log extra...
2010-06-17T21:24:02.073070+01:00 webserver pure-ftpd: ([email protected]) [INFO] kingdom is now logged in
2010-06-17T21:24:06.632472+01:00 webserver pure-ftpd: ([email protected]) [INFO] kingdom is now logged in
2010-06-17T21:24:07.216924+01:00 webserver pure-ftpd: ([email protected]) [NOTICE] /home/kingdom//public_html/mickey66.html uploaded (80 bytes, 0.26KB/sec)
2010-06-17T21:24:07.364313+01:00 webserver pure-ftpd: ([email protected]) [INFO] Logout.
2010-06-17T21:24:08.711231+01:00 webserver pure-ftpd: ([email protected]) [INFO] kingdom is now logged in
2010-06-17T21:24:10.720315+01:00 webserver pure-ftpd: ([email protected]) [NOTICE] /home/kingdom//public_html/mickey66.jpg uploaded (40835 bytes, 35.90KB/sec)
2010-06-17T21:24:10.848782+01:00 webserver pure-ftpd: ([email protected]) [INFO] Logout.
2010-06-17T21:24:18.528074+01:00 webserver pure-ftpd: ([email protected]) [INFO] Logout.
2010-06-17T21:24:22.023673+01:00 webserver pure-ftpd: ([email protected]) [INFO] kingdom is now logged in
2010-06-17T21:24:23.470817+01:00 webserver pure-ftpd: ([email protected]) [NOTICE] /home/kingdom//public_html/mickey66.html uploaded (80 bytes, 0.38KB/sec)
2010-06-17T21:24:23.655023+01:00 webserver pure-ftpd: ([email protected]) [INFO] Logout.
2010-06-17T21:24:26.249887+01:00 webserver pure-ftpd: ([email protected]) [INFO] kingdom is now logged in
2010-06-17T21:24:28.461310+01:00 webserver pure-ftpd: ([email protected]) [NOTICE] /home/kingdom//public_html/canopy37.html uploaded (80 bytes, 0.26KB/sec)
2010-06-17T21:24:28.760513+01:00 webserver pure-ftpd: ([email protected]) [INFO] Logout.
I don't know what user is represented by the query sign (?), is this 'root'. Anyway can anyone shed any light on all this?
A very small bot-net? ;-)
Likely to be coming from other compromised machines, rather than from the kiddies own IP.
Have a look at fail2ban and denyhosts.
Mind you, FTP is a terrible service to be running unless you really really need to. Subversion or similar is a better way of maintaining a website, at least use secure copy over SSH if you need to do unversioned uploads.
They're probably using open proxy servers.
Sounds like your server was had by a botnet
rather than a botnet, the FTP user/password (which was definitely compromised based on the logs you've provided), was passed on IRC and several hackers that have compromised boxes around the net are running their scripts that automatically deface and add remote shells to machines.