ftp - no such user 'webuser'

B

babo

Verified User
Joined
Aug 12, 2005
Messages
8
Here two days on end I observe in/var/log/message following records. What can it be?
Code: 
Dec 28 19:38:35 xl proftpd[22267]: mysrv.domain.tld (83.113.188.240[83.113.188.240]) - no such user 'webuser' 
Dec 28 19:38:36 xl proftpd[22269]: mysrv.domain.tld (83.113.188.240[83.113.188.240]) - FTP session opened. 
Dec 28 19:38:36 xl proftpd[22269]: mysrv.domain.tld (83.113.188.240[83.113.188.240]) - no such user 'webuser' 
Dec 28 19:39:21 xl proftpd[22386]: mysrv.domain.tld (207.248.47.77[207.248.47.77]) - FTP session opened. 
Dec 28 19:39:22 xl proftpd[22386]: mysrv.domain.tld (207.248.47.77[207.248.47.77]) - no such user 'webuser' 
Dec 28 19:39:23 xl proftpd[22395]: mysrv.domain.tld (207.248.47.77[207.248.47.77]) - FTP session opened. 
Dec 28 19:39:25 xl proftpd[22395]: mysrv.domain.tld (207.248.47.77[207.248.47.77]) - no such user 'webuser' 
Dec 28 19:39:27 xl proftpd[22411]: mysrv.domain.tld (207.248.47.77[207.248.47.77]) - FTP session opened. 
Dec 28 19:39:31 xl proftpd[22411]: mysrv.domain.tld (207.248.47.77[207.248.47.77]) - no such user 'webuser' 
Dec 28 19:40:42 xl proftpd[22703]: mysrv.domain.tld (83.115.105.134[83.115.105.134]) - FTP session opened. 
Dec 28 19:40:42 xl proftpd[22703]: mysrv.domain.tld (83.115.105.134[83.115.105.134]) - no such user 'webuser' 
Dec 28 19:40:42 xl proftpd[22706]: mysrv.domain.tld (83.115.105.134[83.115.105.134]) - FTP session opened. 
Dec 28 19:40:42 xl proftpd[22706]: mysrv.domain.tld (83.115.105.134[83.115.105.134]) - no such user 'webuser' 
Dec 28 19:40:42 xl proftpd[22708]: mysrv.domain.tld (83.115.105.134[83.115.105.134]) - FTP session opened. 
Dec 28 19:40:43 xl proftpd[22708]: mysrv.domain.tld (83.115.105.134[83.115.105.134]) - no such user 'webuser'
 
Well I understand it, whether it is possible to regard it as dos attack or brutforce? How it is possible to prevent it?
 
A brute force attack would be if he kept trying different passwords for a working user.

A DOS attack would be much more often.

My guess it's some dumb script kiddie using some dump script trying to find a vulnerability. More a nuisance than anything else.

If you're running linux 2.6.x kernel you could install apf+bfd; the newest versions include antidos.

It's a pain to setup, though.

Jeff
 
You must log in or register to reply here.
Back
Top