Subject: Brute-Force Attack detected in service log from IP(s) 127.0.0.1 on User(s) a

[netsolid]

We are gettings these messages de last two day's. Where can i start to find where this is comming from? A rootkitscan detects nothing.

A brute force attack has been detected in one of your service logs.

IP 127.0.0.1 has 75 failed login attempts: proftpd1=75
User admin has 75 failed login attempts: proftpd1=75

Check the 'Admin Level -> Brute Force Monitor' for more information

 

[zEitEr]

Login with root in SSH and check suspicious scripts running in memory. And of course read system logs.

 

[shanti]

unfortunately php-scripts are not shown in the process-table (ps) .. that means that any compromised php-webapp could be a source of such behaviour ..

if possible check through your webapps if you find suspicious php-files .. they may differ in modification-date to the rest of the installation .. also check for ancient installations of e.g. Wordpress , since such popular software tends to be attractive for intrusion - start there.

 

[zEitEr]

unfortunately php-scripts are not shown in the process-table (ps) .. that means that any compromised php-webapp could be a source of such behaviour

It depends... of course if a script is running very quickly, it is very difficult to catch it with ps. I would start with logs reading in order to learn how often attempts are made.