Script Kid made me late to class.
February 28th, 2008
| Categories: Computers
I set a server up for my friends to share the C73 techno. The next day some script kiddie was trying to hack in with brute force. He tried steadily longer passwords.
(000093) 2/27/2008 6:39:26 AM – (not logged in) (211.72.249.252)> PASS ******
(000093) 2/27/2008 6:39:26 AM – (not logged in) (211.72.249.252)> 530 Login or password incorrect!
(000093) 2/27/2008 6:39:45 AM – (not logged in) (211.72.249.252)> PASS ******
(000093) 2/27/2008 6:39:45 AM – (not logged in) (211.72.249.252)> 530 Login or password incorrect!
(000093) 2/27/2008 6:40:07 AM – (not logged in) (211.72.249.252)> 421 Login time exceeded. Closing control connection.
(000093) 2/27/2008 6:40:07 AM – (not logged in) (211.72.249.252)> disconnected.
(000094) 2/27/2008 6:40:07 AM – (not logged in) (211.72.249.252)> Connected, sending welcome message…
(000094) 2/27/2008 6:40:07 AM – (not logged in) (211.72.249.252)> 220-FileZilla Server version 0.9.24 beta
(000094) 2/27/2008 6:40:07 AM – (not logged in) (211.72.249.252)> 220-written by Tim Kosse (Tim.Kosse@gmx.de)
(000094) 2/27/2008 6:40:07 AM – (not logged in) (211.72.249.252)> 220 Please visit http://sourceforge.net/projects/filezilla/
(000094) 2/27/2008 6:40:13 AM – (not logged in) (211.72.249.252)> USER Administrator
(000094) 2/27/2008 6:40:13 AM – (not logged in) (211.72.249.252)> 331 Password required for administrator
(000094) 2/27/2008 6:40:19 AM – (not logged in) (211.72.249.252)> USER Administrator
(000094) 2/27/2008 6:40:19 AM – (not logged in) (211.72.249.252)> 331 Password required for administrator
(000094) 2/27/2008 6:40:27 AM – (not logged in) (211.72.249.252)> USER Administrator
(000094) 2/27/2008 6:40:27 AM – (not logged in) (211.72.249.252)> 331 Password required for administrator
(000094) 2/27/2008 6:40:35 AM – (not logged in) (211.72.249.252)> PASS *******
(000094) 2/27/2008 6:40:35 AM – (not logged in) (211.72.249.252)> 530 Login or password incorrect!
(000094) 2/27/2008 6:40:59 AM – (not logged in) (211.72.249.252)> PASS *******
(000094) 2/27/2008 6:40:59 AM – (not logged in) (211.72.249.252)> 530 Login or password incorrect!
(000094) 2/27/2008 6:41:08 AM – (not logged in) (211.72.249.252)> 421 Login time exceeded. Closing control connection.
(000094) 2/27/2008 6:41:08 AM – (not logged in) (211.72.249.252)> disconnected.
(000095) 2/27/2008 6:41:08 AM – (not logged in) (211.72.249.252)> Connected, sending welcome message…
(000095) 2/27/2008 6:41:08 AM – (not logged in) (211.72.249.252)> 220-FileZilla Server version 0.9.24 beta
(000095) 2/27/2008 6:41:08 AM – (not logged in) (211.72.249.252)> 220-written by Tim Kosse (Tim.Kosse@gmx.de)
(000095) 2/27/2008 6:41:08 AM – (not logged in) (211.72.249.252)> 220 Please visit http://sourceforge.net/projects/filezilla/
(000095) 2/27/2008 6:41:14 AM – (not logged in) (211.72.249.252)> USER Administrator
(000095) 2/27/2008 6:41:14 AM – (not logged in) (211.72.249.252)> 331 Password required for administrator
(000095) 2/27/2008 6:41:20 AM – (not logged in) (211.72.249.252)> USER Administrator
(000095) 2/27/2008 6:41:20 AM – (not logged in) (211.72.249.252)> 331 Password required for administrator
(000095) 2/27/2008 6:41:28 AM – (not logged in) (211.72.249.252)> USER Administrator
(000095) 2/27/2008 6:41:28 AM – (not logged in) (211.72.249.252)> 331 Password required for administrator
(000095) 2/27/2008 6:41:36 AM – (not logged in) (211.72.249.252)> PASS ******
(000095) 2/27/2008 6:41:36 AM – (not logged in) (211.72.249.252)> 530 Login or password incorrect!
(000095) 2/27/2008 6:41:59 AM – (not logged in) (211.72.249.252)> PASS ******
(000095) 2/27/2008 6:41:59 AM – (not logged in) (211.72.249.252)> 530 Login or password incorrect!
(000095) 2/27/2008 6:42:09 AM – (not logged in) (211.72.249.252)> 421 Login time exceeded. Closing control connection.
(000095) 2/27/2008 6:42:09 AM – (not logged in) (211.72.249.252)> disconnected.
(000093) 2/27/2008 6:39:26 AM – (not logged in) (211.72.249.252)> 530 Login or password incorrect!
(000093) 2/27/2008 6:39:45 AM – (not logged in) (211.72.249.252)> PASS ******
(000093) 2/27/2008 6:39:45 AM – (not logged in) (211.72.249.252)> 530 Login or password incorrect!
(000093) 2/27/2008 6:40:07 AM – (not logged in) (211.72.249.252)> 421 Login time exceeded. Closing control connection.
(000093) 2/27/2008 6:40:07 AM – (not logged in) (211.72.249.252)> disconnected.
(000094) 2/27/2008 6:40:07 AM – (not logged in) (211.72.249.252)> Connected, sending welcome message…
(000094) 2/27/2008 6:40:07 AM – (not logged in) (211.72.249.252)> 220-FileZilla Server version 0.9.24 beta
(000094) 2/27/2008 6:40:07 AM – (not logged in) (211.72.249.252)> 220-written by Tim Kosse (Tim.Kosse@gmx.de)
(000094) 2/27/2008 6:40:07 AM – (not logged in) (211.72.249.252)> 220 Please visit http://sourceforge.net/projects/filezilla/
(000094) 2/27/2008 6:40:13 AM – (not logged in) (211.72.249.252)> USER Administrator
(000094) 2/27/2008 6:40:13 AM – (not logged in) (211.72.249.252)> 331 Password required for administrator
(000094) 2/27/2008 6:40:19 AM – (not logged in) (211.72.249.252)> USER Administrator
(000094) 2/27/2008 6:40:19 AM – (not logged in) (211.72.249.252)> 331 Password required for administrator
(000094) 2/27/2008 6:40:27 AM – (not logged in) (211.72.249.252)> USER Administrator
(000094) 2/27/2008 6:40:27 AM – (not logged in) (211.72.249.252)> 331 Password required for administrator
(000094) 2/27/2008 6:40:35 AM – (not logged in) (211.72.249.252)> PASS *******
(000094) 2/27/2008 6:40:35 AM – (not logged in) (211.72.249.252)> 530 Login or password incorrect!
(000094) 2/27/2008 6:40:59 AM – (not logged in) (211.72.249.252)> PASS *******
(000094) 2/27/2008 6:40:59 AM – (not logged in) (211.72.249.252)> 530 Login or password incorrect!
(000094) 2/27/2008 6:41:08 AM – (not logged in) (211.72.249.252)> 421 Login time exceeded. Closing control connection.
(000094) 2/27/2008 6:41:08 AM – (not logged in) (211.72.249.252)> disconnected.
(000095) 2/27/2008 6:41:08 AM – (not logged in) (211.72.249.252)> Connected, sending welcome message…
(000095) 2/27/2008 6:41:08 AM – (not logged in) (211.72.249.252)> 220-FileZilla Server version 0.9.24 beta
(000095) 2/27/2008 6:41:08 AM – (not logged in) (211.72.249.252)> 220-written by Tim Kosse (Tim.Kosse@gmx.de)
(000095) 2/27/2008 6:41:08 AM – (not logged in) (211.72.249.252)> 220 Please visit http://sourceforge.net/projects/filezilla/
(000095) 2/27/2008 6:41:14 AM – (not logged in) (211.72.249.252)> USER Administrator
(000095) 2/27/2008 6:41:14 AM – (not logged in) (211.72.249.252)> 331 Password required for administrator
(000095) 2/27/2008 6:41:20 AM – (not logged in) (211.72.249.252)> USER Administrator
(000095) 2/27/2008 6:41:20 AM – (not logged in) (211.72.249.252)> 331 Password required for administrator
(000095) 2/27/2008 6:41:28 AM – (not logged in) (211.72.249.252)> USER Administrator
(000095) 2/27/2008 6:41:28 AM – (not logged in) (211.72.249.252)> 331 Password required for administrator
(000095) 2/27/2008 6:41:36 AM – (not logged in) (211.72.249.252)> PASS ******
(000095) 2/27/2008 6:41:36 AM – (not logged in) (211.72.249.252)> 530 Login or password incorrect!
(000095) 2/27/2008 6:41:59 AM – (not logged in) (211.72.249.252)> PASS ******
(000095) 2/27/2008 6:41:59 AM – (not logged in) (211.72.249.252)> 530 Login or password incorrect!
(000095) 2/27/2008 6:42:09 AM – (not logged in) (211.72.249.252)> 421 Login time exceeded. Closing control connection.
(000095) 2/27/2008 6:42:09 AM – (not logged in) (211.72.249.252)> disconnected.
I spent the better half of an hour thinking of something extremely poisonous to put in the FTP’s welcome message. By the time I had found a suitable line to put that wouldn’t be truncated, I figured out I could just slap a 24 hour ban on his ass. So I did. But I was still late for class…
Then later on I played Utawarerumono and got really hooked… but that’s a different story.
actually, it is not a kid. This host (211.72.249.252) is also attacking my FTP server for 3 hours now, I googled it and found your site! It’s probably a hacked, zombie box, used to scan large networks. Block his ass
Ah, thanks for the tip man!
wow. not thinking that googling the IP would actually turn anything up, I find this page. that same ip (211.72.249.252) was also attacking an FTP server for one of my customers. they tried tons of usernames over the course of a few hours. i would agree with the first comment. anyone finding this page after being attacked by that IP should block it entirely.
Saw this on me too, so I scanned him…
Completed RPCGrind Scan against 211.72.249.252 at 10:14, 0.37s elapsed (1 port)
SCRIPT ENGINE: Initiating script scanning.
Initiating SCRIPT ENGINE at 10:14
SCRIPT ENGINE DEBUG: showHTMLTitle.nse: Title got truncated!
Completed SCRIPT ENGINE at 10:15, 3.03s elapsed
Host 211.72.249.252 appears to be up … good.
Interesting ports on 211.72.249.252:
Not shown: 1705 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
|_ SSH Protocol Version 1: Server supports SSHv1
25/tcp filtered smtp
80/tcp open http Apache httpd 2.0.52 ((Red Hat))
|_ HTML title: Test Page for the Apache HTTP Server on Red Hat Enterprise Lin…
111/tcp open rpcbind 2 (rpc #100000)
| rpcinfo:
| 100000 2 111/udp rpcbind
| 100024 1 32768/udp status
| 100000 2 111/tcp rpcbind
|_ 100024 1 32769/tcp status
443/tcp open ssl OpenSSL
| SSLv2: server still supports SSLv2
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_CBC_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_CBC_128_CBC_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
554/tcp filtered rtsp
1720/tcp filtered H.323/Q.931
2000/tcp filtered callbook
5060/tcp filtered sip
No OS matches for host
Uptime: 1.398 days (since Thu Mar 13 00:42:35 2008)
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros
I have no clue what that means, other than that he’s probably not a bot and you might be able to force your way in through SSH. I remember going ‘http://that ip address’ and I got a blank page.