This attack attempt made me laugh a bit. I see the following event from my Sguil instance running on Security Onion that is monitoring my honeypot:
I pull the transcript and find the following:
I thought that was a very odd password to attempt. I wanted to a transcript of all the attempts the attacker tried, so I used tcpdump to carve out the session between my honeypot and the attacker with the following commands:
tcpdump -r snort.log.1361664061 -w ~/ftpbruteforce-pcap-20130224.pcap ip and host 220.127.116.11 and host 192.168.1.20 and port 21 and proto 6
Securityonion will log full pcap's to /nsm/sensor_data/<sensor-name>/dailylogs/<date>. The tcpdump command is pretty much the same command that sguil issues to the sensor to generate transcripts. The -r is to read in a pcap file, -w is to write the results to a pcap file. After that is the BPF (Berkley Packet Filter) filter which defines what traffic we want to carve out.
I opened ftpbruteforce-pcap-20130224.pcap in wireshark and started looking at the sessions and found this one:
Turns out, there are multiple attempts of using %username% and some other strings. It seems our attacker forgot to configure this field. Logically, I assume it's supposed to try different variations of Administrator and a string such as:
If anyone knows the FTP brute forcing tool that was likely used, please let us know. My Google-fu is failing as Google drops punctuations from searches.