【求助】FTP攻擊!??



贊助商連結


super_tube
2002-11-28, 11:01 AM
以下是我的ISP轉寄給我的信,他說收到我發的廣告垃圾信!!??
但我的FTP服務早已關閉怎還會有這個信件呢??
這是否為郵件主機中毒的情況,亂發廣告信件呢?
有點困惑不之從何下手.....
我的mail server為linux 系統!relay功能也已關閉!
已看過最近的linux病毒資訊,檢查過後並無發現異狀!
這樣可能是工作站內部中毒而發信嗎?
還是這只是一封惡作劇的信件~
請問有無人有相關的經驗,或追蹤方式,希望提供參考~~感激不進!!:(

-----------------------------------------------------
From: Mike Peterson [mailto:mikep@onet.on.ca]
Sent: Wednesday, November 27, 2002 11:41 PM
To: abuse@cnlink.net; abuse@hkcix.com; abuse@ms1.twgate.net;
abuse@tw.cnlink.net; abuse@twgate.net; cmwu@hkcix.com;
hostmaster@cnlink.net; hostmaster@hkcix.com; hostmaster@ms1.twgate.net;
hostmaster@tw.cnlink.net; hostmaster@twgate.net; kyeung@hkcix.com;
mhyang@chti.com.tw; noc@ms1.twgate.net; noc@twgate.net;
postmaster@cnlink.net; postmaster@hkcix.com; postmaster@ms1.twgate.net;
postmaster@tw.cnlink.net; postmaster@twgate.net; root@cnlink.net;
root@hkcix.com; root@ms1.twgate.net; root@tw.cnlink.net;
root@twgate.net; wsshiau@chti.com.tw
Cc: support@onet.on.ca
Subject: 202.181.140.249 - FTP attacks

Hello,

Someone at IP 202.181.140.249 has been attempting
to connect to the FTP port on our servers
"calvin.utcc.utoronto.ca" (IP 128.100.102.64),
and "elcan.utcc.utoronto.ca" (IP 128.100.102.45):

>From the logs on "calvin":

Nov 27 04:49:35 calvin in.ftpd[5872]: [ID 947420 daemon.warning] refused
connect from 202.181.140.249

>From the logs on "elcan":

Nov 27 04:49:35 elcan in.ftpd[5760]: [ID 947420 daemon.warning] refused
connect from 202.181.140.249

All times reported are EST5EDT / GMT-5 (add 5 hours to get GMT/UTC).

We view these attempts as hostile, because they appear to be scanning
for security vulnerabilities. I expect that the acceptable use policy
for your network would prohibit this type of activity, and that you
will apply the measures necessary to stop the person responsible from
repeating these attempts.

I am asking that the responsible person(s) at Hongkong Commercial
Internet Exchange / IXTech Limited / Taiwan Internet Gateway / Chunghwa
Telecom - International Business Group (CHTI) check this out at their
end and take the appropriate action (e.g. remove the user account /
Internet connection). If your server has been compromised, you need to
take action to secure it and your network.

Please notify me of the results of your investigation.

Thank you,
Mike.
--
Mike Peterson, Senior Network Specialist, ONet Networking Support
E-mail: mikep@onet.on.ca WWW: http://onet.on.ca/~mikep/
Tel: 416-978-5230 Fax: 416-978-6620