Current time: 11-30-2024, 03:56 PM Hello There, Guest! (LoginRegister)


Post Reply 
Possible attack?
Author Message
santerref Offline
Junior Member
*

Posts: 62
Joined: Apr 2008
Reputation: 0
Post: #1
Possible attack?
Hello, my ftp server crash 2 or 3 times each day and I don't know why but when i look into the logs i see this :

Code:
Mar  3 16:50:03 ks365184 proftpd[804]: ks365184.kimsufi.com (90.32.141.148[90.32.141.148]) - mod_delay/0.5: delaying for 498 usecs
Mar  3 16:56:39 ks365184 proftpd[1722]: ks365184.kimsufi.com (88.185.16.129[88.185.16.129]) - mod_delay/0.5: delaying for 4533 usecs
Mar  3 16:56:46 ks365184 proftpd[1727]: ks365184.kimsufi.com (213.246.59.190[213.246.59.190]) - mod_delay/0.5: delaying for 24016 usecs
Mar  3 16:56:47 ks365184 proftpd[1728]: ks365184.kimsufi.com (88.185.16.129[88.185.16.129]) - mod_delay/0.5: delaying for 105 usecs
Mar  3 16:58:41 ks365184 proftpd[1841]: ks365184.kimsufi.com (213.246.59.190[213.246.59.190]) - mod_delay/0.5: delaying for 4247 usecs
Mar  3 16:59:34 ks365184 proftpd[1891]: ks365184.kimsufi.com (90.32.138.132[90.32.138.132]) - mod_delay/0.5: delaying for 4649 usecs
Mar  3 17:04:55 ks365184 proftpd[5343]: ks365184.kimsufi.com (213.246.59.190[213.246.59.190]) - mod_delay/0.5: delaying for 6461 usecs
Mar  3 17:07:26 ks365184 proftpd[5870]: ks365184.kimsufi.com (213.246.59.190[213.246.59.190]) - mod_delay/0.5: delaying for 128 usecs
Mar  3 17:07:54 ks365184 proftpd[5878]: ks365184.kimsufi.com (213.246.59.190[213.246.59.190]) - mod_delay/0.5: delaying for 1510 usecs
Mar  3 17:08:37 ks365184 proftpd[5926]: ks365184.kimsufi.com (213.246.59.190[213.246.59.190]) - mod_delay/0.5: delaying for 2531 usecs
Mar  3 17:10:14 ks365184 proftpd[6369]: ks365184.kimsufi.com (213.246.59.190[213.246.59.190]) - mod_delay/0.5: delaying for 12194 usecs
Mar  3 17:10:20 ks365184 proftpd[6370]: ks365184.kimsufi.com (90.32.138.132[90.32.138.132]) - mod_delay/0.5: delaying for 484 usecs
Mar  3 17:10:42 ks365184 proftpd[6375]: ks365184.kimsufi.com (213.246.59.190[213.246.59.190]) - mod_delay/0.5: delaying for 498 usecs
Mar  3 17:15:50 ks365184 proftpd[6981]: ks365184.kimsufi.com (88.185.16.129[88.185.16.129]) - mod_delay/0.5: delaying for 5035 usecs
Mar  3 17:15:57 ks365184 proftpd[6985]: ks365184.kimsufi.com (88.185.16.129[88.185.16.129]) - mod_delay/0.5: delaying for 41390 usecs
Mar  3 17:16:43 ks365184 proftpd[7046]: ks365184.kimsufi.com (88.185.16.129[88.185.16.129]) - mod_delay/0.5: delaying for 7725 usecs
Mar  3 17:23:15 ks365184 proftpd[7814]: ks365184.kimsufi.com (90.59.139.101[90.59.139.101]) - mod_delay/0.5: delaying for 57432 usecs
Mar  3 17:23:40 ks365184 proftpd[7846]: ks365184.kimsufi.com (81.50.0.124[81.50.0.124]) - mod_delay/0.5: delaying for 93022 usecs
Mar  3 17:24:01 ks365184 proftpd[7880]: ks365184.kimsufi.com (81.50.0.124[81.50.0.124]) - mod_delay/0.5: delaying for 1438 usecs
Mar  3 17:24:22 ks365184 proftpd[7893]: ks365184.kimsufi.com (70.53.161.37[70.53.161.37]) - mod_delay/0.5: delaying for 109 usecs
Mar  3 17:25:38 ks365184 proftpd[8305]: ks365184.kimsufi.com (81.50.0.124[81.50.0.124]) - mod_delay/0.5: delaying for 3332 usecs
Mar  3 17:26:58 ks365184 proftpd[8381]: ks365184.kimsufi.com (81.50.0.124[81.50.0.124]) - mod_delay/0.5: delaying for 2 usecs
Mar  3 17:27:45 ks365184 proftpd[8449]: ks365184.kimsufi.com (81.50.0.124[81.50.0.124]) - mod_delay/0.5: delaying for 358 usecs
Mar  3 17:28:44 ks365184 proftpd[8522]: ks365184.kimsufi.com (81.50.0.124[81.50.0.124]) - mod_delay/0.5: delaying for 3365 usecs
Mar  3 17:28:45 ks365184 proftpd[8523]: ks365184.kimsufi.com (81.50.0.124[81.50.0.124]) - mod_delay/0.5: delaying for 3812 usecs
Mar  3 17:29:50 ks365184 proftpd[8589]: ks365184.kimsufi.com (90.59.139.101[90.59.139.101]) - mod_delay/0.5: delaying for 360 usecs
Mar  3 17:35:48 ks365184 proftpd[12422]: ks365184.kimsufi.com (74.56.30.111[74.56.30.111]) - mod_delay/0.5: delaying for 3320 usecs
Mar  3 17:37:00 ks365184 proftpd[12521]: ks365184.kimsufi.com (70.53.161.37[70.53.161.37]) - mod_delay/0.5: delaying for 2792 usecs
Mar  3 17:37:43 ks365184 proftpd[12556]: ks365184.kimsufi.com (24.201.54.192[24.201.54.192]) - mod_delay/0.5: delaying for 1933 usecs
Mar  3 17:39:17 ks365184 proftpd[12698]: ks365184.kimsufi.com (90.59.139.101[90.59.139.101]) - mod_delay/0.5: delaying for 45 usecs
Mar  3 17:43:14 ks365184 proftpd[13260]: ks365184.kimsufi.com (86.200.43.76[86.200.43.76]) - mod_delay/0.5: delaying for 6460 usecs
Mar  3 17:43:36 ks365184 proftpd[13278]: ks365184.kimsufi.com (24.201.54.192[24.201.54.192]) - mod_delay/0.5: delaying for 2520 usecs
Mar  3 17:44:09 ks365184 proftpd[13320]: ks365184.kimsufi.com (90.59.139.101[90.59.139.101]) - mod_delay/0.5: delaying for 16449 usecs
Mar  3 17:45:26 ks365184 proftpd[13726]: ks365184.kimsufi.com (86.200.43.76[86.200.43.76]) - mod_delay/0.5: delaying for 7416 usecs
Mar  3 17:45:30 ks365184 proftpd[13729]: ks365184.kimsufi.com (24.201.54.192[24.201.54.192]) - mod_delay/0.5: delaying for 356 usecs
Mar  3 17:45:37 ks365184 proftpd[13731]: ks365184.kimsufi.com (24.201.54.192[24.201.54.192]) - mod_delay/0.5: delaying for 2615 usecs
Mar  3 17:45:47 ks365184 proftpd[13740]: ks365184.kimsufi.com (69.159.112.5[69.159.112.5]) - mod_delay/0.5: delaying for 5139 usecs
Mar  3 17:47:24 ks365184 proftpd[14598]: ks365184.kimsufi.com (88.185.16.129[88.185.16.129]) - mod_delay/0.5: delaying for 24428 usecs
Mar  3 17:47:31 ks365184 proftpd[14601]: ks365184.kimsufi.com (88.185.16.129[88.185.16.129]) - mod_delay/0.5: delaying for 7417 usecs
Mar  3 17:47:44 ks365184 proftpd[14645]: ks365184.kimsufi.com (86.200.43.76[86.200.43.76]) - mod_delay/0.5: delaying for 491 usecs
Mar  3 17:49:27 ks365184 proftpd[16017]: ks365184.kimsufi.com (90.59.139.101[90.59.139.101]) - mod_delay/0.5: delaying for 162 usecs

I'm not shure if this are attacks because the time between each line is long... if it was 1 or 2 seconds ok but this are like 2 or 3 minutes.
03-04-2009 02:59 AM
Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #2
RE: Possible attack?
Which ProFTd Version do you use ?
For info --> http://www.isp-control.net/forum/showthr...p?tid=5824

Greez BeNe
03-04-2009 03:51 AM
Visit this user's website Find all posts by this user Quote this message in a reply
santerref Offline
Junior Member
*

Posts: 62
Joined: Apr 2008
Reputation: 0
Post: #3
RE: Possible attack?
I use the last that we can fond in the repository of Debian.

When I use the command top, proftpd always use 80% or 95% of my CPU. I have 350 users on my website. (Webhosting website)
(This post was last modified: 03-04-2009 07:54 AM by santerref.)
03-04-2009 07:39 AM
Find all posts by this user Quote this message in a reply
sci2tech Away
Senior Member
****

Posts: 1,285
Joined: Jan 2007
Reputation: 23
Post: #4
RE: Possible attack?
Try to use fail2ban Wink
03-04-2009 08:05 AM
Visit this user's website Find all posts by this user Quote this message in a reply
santerref Offline
Junior Member
*

Posts: 62
Joined: Apr 2008
Reputation: 0
Post: #5
RE: Possible attack?
I have fail2ban but proftpd always use 90% of my CPU... And my server receive DoS and DDoS Syn Flood attack ! But now I think it's ok but proftpd always down and up ... like 4 or 5 times each days... do you need some logs to help me?
03-04-2009 08:40 AM
Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)