Problem with Brute Force FTP at 127.0.0.1

[ThaiDo]

Hi everybody !!!

I am a newbie with DirectAdmin,

I setup Config server Firewall and security for brute force attack problem, everyone, who fail 10 attemp login at web or, FTP, mail is auto block.

But this time, my server has attacked at IP 127.0.0.1, i don't know how to view the real IP of attacker or any user who cause that. i have received many notify mail

The log entry like this:

Sep 15 19:53:59 z02 proftpd[15524]: [server IP address] (127.0.0.1[127.0.0.1]) - USER root: no such user found from 127.0.0.1 [127.0.0.1] to ::ffff:127.0.0.1:21

Anyone can help me !!!

 

[scsi]

127.0.0.1 is probably the real ip. It means you have an infected website or something.

 

[ThaiDo]

i think some website infected, too, but
How can i do to troubleshoot this problem ?

Down all source code to scan with KIS 2014 ???

 

[ISOS6]

I recommend that you install an antivirus program. For example ClamAV.
And after you run a scan on your /home folder, so ClamAV detects Backdoor files. If scsi meant it.

Step 1

cd /usr/local/directadmin/custombuild
 ./build update
 ./build set clamav yes
 ./build clamav

Step 2 - Make a folder moving infected files til this folder

cd
mkdir viruses

Step 3 - Scan home dir and move files

/usr/bin/clamdscan /home --move=/viruses

Note that the scanning take a long time! Do not touch Putty or whatever until you get the message that scanning is finished!