Brute Force Attack on FTP

2025-04-15

This is the proftpd report in my Logwatch :

proftpd-messages Begin

'hostname' (127.0.0.1[127.0.0.1]) - FTP login timed out,
disconnected
'hostname' (127.0.0.1[127.0.0.1]) - FTP no transfer timeout,
disconnected
'hostname' (127.0.0.1[127.0.0.1]) - FTP login timed out,
disconnected
xx.xx.xxx.232 (66.97.95.1[66.97.95.1]) - no such user 'look'
xx.xx.xxx.233 (66.97.95.1[66.97.95.1]) - no such user 'look'
xx.xx.xxx.231 (66.97.95.1[66.97.95.1]) - no such user 'look'
xx.xx.xxx.234 (66.97.95.1[66.97.95.1]) - no such user 'look'
xx.xx.xxx.238 (66.97.95.1[66.97.95.1]) - no such user 'look'
xx.xx.xxx.235 (66.97.95.1[66.97.95.1]) - no such user 'look'
xx.xx.xxx.232 (66.97.95.1[66.97.95.1]) - no such user 'user'
xx.xx.xxx.233 (66.97.95.1[66.97.95.1]) - no such user 'user'
xx.xx.xxx.231 (66.97.95.1[66.97.95.1]) - no such user 'user'
xx.xx.xxx.234 (66.97.95.1[66.97.95.1]) - no such user 'user'
xx.xx.xxx.238 (66.97.95.1[66.97.95.1]) - no such user 'user'
xx.xx.xxx.235 (66.97.95.1[66.97.95.1]) - no such user 'user'
'hostname' (66.97.95.1[66.97.95.1]) - no such user 'leech'
'hostname' (66.97.95.1[66.97.95.1]) - no such user 'leech'
'hostname' (66.97.95.1[66.97.95.1]) - no such user 'leech'
'hostname' (127.0.0.1[127.0.0.1]) - FTP login timed out,
disconnected
'hostname' (66.97.95.1[66.97.95.1]) - no such user 'admin'
'hostname' (66.97.95.1[66.97.95.1]) - no such user 'admin'
'hostname' (66.97.95.1[66.97.95.1]) - no such user 'admin'
'hostname' (127.0.0.1[127.0.0.1]) - FTP login timed out,
disconnected
'hostname' (127.0.0.1[127.0.0.1]) - FTP login timed out,
disconnected

Details of 66.97.95.1
Blacklist Status: Clear
Whois History: 3 records stored
Record Type: IP Address
IP Location: United States - Blue Mountain Internet
Reverse IP: Web server hosts 1 websites (reverse ip tool requires free login)
Reverse DNS: w1.bmi.net

1 domains found on 66.97.95.1
Showing all 1.

Website
Oddfellows.com

Looks like he has compromised a server...

The same person also tried to Brute Force into SSH but BFD took care of that. So what is he trying now and how do I stop him...

Thanks.