My data center is alerting me about complaints that bruteforce FTP attacks are coming from my server. I don't get a lot of info to go on, but for the life of meI'm not finding anything and I'm hoping someone can give advice on how to proceed.
Here a sample of the attack records:
Note: Local timezone is +0200 (CEST) 2017-06-02 18:58:42,636 shared05.SERVER.de proftpd[7306] shared05.SERVER.de (server.MINE.org[65.60.xx.xxx]): FTP session opened. 2017-06-02 18:58:42,849 shared05.SERVER.de proftpd[7306] shared05.SERVER.de (server.MINE.org[65.60.xx.xxx]): USER spacebass: no such user found from server.MINE.org [65.60.xx.xxx] to ::ffff:62.141.xx.xxx:21
Any suggestion on how to track this down?
I discovered a malicious Python script had been installed that was causing the outbound attack. I was able to stop it and now for the cleanup.