We have a public ftp server that is being probed by the usual Chinese brute-force scans. They are probing vsftpd. Notmally a failed login to vsftpd looks like this in syslog:
Mar 17 15:56:07 cache0001 vsftpd: ftp_set_login_id - unable to esd_decode: root
Mar 17 15:56:07 cache0001 vsftpd: ftp_authenticate failed - invalid login_id format: root ip: 10.90.3.193
Mar 17 15:56:07 cache0001 vsftpd: Mon Mar 17 15:56:07 2014 [pid 13327] [root] FAIL LOGIN: Client "10.90.3.193"
These logins look like this:
Mar 17 10:20:47 cache0001 vsftpd: Mon Mar 17 10:20:47 2014 [pid 10095] CONNECT: Client "61.147.76.54"
Mar 17 10:20:47 cache0001 vsftpd: ftp_authenticate failed - expired password: 2848358251 DTM20140317045711MjMxMzM1Nzk1 ip: 61.147.76.54 Current: DTM20140317102047
Mar 17 10:20:47 cache0001 vsftpd: Mon Mar 17 10:20:47 2014 [pid 10095] [NTg3NTEwMTY1PDI4NDgzNTgyNTE+MjUxODUwNjU4] FAIL LOGIN: Client "61.147.76.54"
Not sure what's being logged here, there is no "invalid login_id" line, any why "expired password"?
Is this someone trying to use the Metasploit script for the vsftpd vulnerabilities that were out some time ago?
Thanks -w
