So ähnlich könnte (ein sehr kleiner Teil einer) Log Datei nach einer direkten Brute Force Attacke ausehen.
[5] Fri 17Sep99 02:52:39 -
(000412) Connected to 193.243.68.128 (Local address 90.0.0.1)
<die 412.te Verbindung wird aufgebaut, der entfernte Rechner,
hat die I.P. Adresse 193.243.68.128 >
[5] Fri 17Sep99 02:52:39 - (000413)
Connected to 193.243.68.128 (Local address 90.0.0.1) <die 413.te
Verbindung wird aufgebaut>
[5] Fri 17Sep99 02:52:39 - (000412) IP-Name:
UNKNOWN <Passwortkombination "ided" =
Passwortkombination falsch>
[5] Fri 17Sep99 02:52:39 - (000414)
Connected to 193.243.68.128 (Local address 90.0.0.1)
[5] Fri 17Sep99 02:52:39 - (000413)
IP-Name: UNKNOWN <Passwortkombination "idee"
= Passwort koreckt>
[5] Fri 17Sep99 02:52:39 - (000415)
Connected to 193.243.68.128 (Local address 90.0.0.1)
[5] Fri 17Sep99 02:52:39 - (000416)
Connected to 193.243.68.128 (Local address 90.0.0.1)
[5] Fri 17Sep99 02:52:39 - (000414) IP-Name: UNKNOWN
[5] Fri 17Sep99 02:52:39 - (000417)
Connected to 193.243.68.128 (Local address 90.0.0.1)
[5] Fri 17Sep99 02:52:39 - (000413)
User MAX logged in < =>Passwort = richtig, Benutzer
"Max" hat sich erfolgreich auf dem Server eingeloggt>
[5] Fri 17Sep99 02:52:39 - (000415) IP-Name:
UNKNOWN
[5] Fri 17Sep99 02:52:39 -
(000416) IP-Name: UNKNOWN
[5] Fri 17Sep99 02:52:39 - (000412) Closing
connection
[5] Fri 17Sep99 02:52:40 - (000413)
Closing connection for user MAX (00:00:01 connected) <Alle
anderen Verbindungen werden geschlossen>
[5] Fri 17Sep99 02:52:40 - (000415) Closing
connection
[5] Fri 17Sep99 02:52:40 - (000414) Closing connection
[5] Fri 17Sep99 02:52:40 - (000416)
Closing connection
[5] Fri 17Sep99 02:52:40 - (000417) Closing
connection
Darauf-folgender Login...
[5] Fri 17Sep99 02:53:01 - (000423) Connected to 193.243.68.128 (Local address 90.0.0.1)
[5] Fri 17Sep99 02:53:01 - (000423) IP-Name: UNKNOWN
[5] Fri 17Sep99 02:53:07 - (000423) User MAX logged in
[2] Fri 17Sep99 02:54:16 - (000423) PORT 193,243,68,128
,13,20
Du kannst natürlich versuchen, eine direkte "Brute Force Attacke" zu starten, aber da kannst Du genausogut versuchen, am helligsten Tag einen Geldtransporter (vor den Augen der Sicherheitsleute) zu klauen. In beiden Fällen ist die Warscheinlichkeit, daß Du erwischt wirst, ziemlich groß *g*. Außerdem werden die Server meistens von Administratoren überwacht, die sofort Aufmerksam werden, wenn sich da jemand 1798 mal in der Minute einloggt. Man könnte zwar hoffen, daß um diese Zeit der Admin schon Feierabend hat (oder besoffen unter´m Tisch liegt *g*) und man entfernt dann die veräterichen Einträge aus der Logfile, allerdings nützt das meistens auch nicht viel, weil er höstwarscheinlich das ganze über sein Bildschirm überwachen lässt (und wenn er am nächsten Morgen wieder Arbeitet, oder sich von seinen Rausch erholt, merkt der das vielleicht :-)
, das kann man wiederum verhindern, wenn man den Server danach durch eine Denial of Service Attacke (DoS) zum abkacken bringt (mehr dazu später).
Normalerweise sieht nähmlich eine normale Verbindung in etwa so aus.
[1] Sat 18Sep99 21:30:45 - Starting FTP Server...
(Version 2.5f (32-bit))
[5] Sat 18Sep99 21:31:08 - (000001) Connected to 149.225.89.137 (Local
address 90.0.0.1)
[5] Sat 18Sep99 21:31:08 - (000001) IP-Name: secret
[5] Sat 18Sep99 21:32:00 - (000001) User THEPOWERANT logged in
[3] Sat 18Sep99 21:33:46 - (000001) Sending file c:\tpa\tpa.zip
[3] Sat 18Sep99 21:33:46 - (000001) Sent file c:\tpa\tpa.zip
successfully (44.2 Kb/sec - 453 bytes)
[3] Sat 18Sep99 21:36:35 - (000001) Sending file c:\bilder\nudegirl.jpg
[3] Sat 18Sep99 21:36:35 - (000001) Sent file c:\bilder\nudegirl.jpg
successfully (146 Kb/sec - 44015 bytes)
[5] Sat 18Sep99 21:36:41 - (000001) Closing connection for user
THEPOWERANT (00:05:33 connected)
[5] Sat 18Sep99 23:55:31 - (000002) Connected to 90.0.0.2 (Local
address 90.0.0.1)
[5] Sat 18Sep99 23:55:33 - (000002) IP-Name: admin
[5] Sat 18Sep99 23:56:02 - (000002) User SYSADMIN logged in
[4] Sat 18Sep99 23:57:45 - (000002) Receiving file c:\bilder\hotgirl.jpg
[4] Sat 18Sep99 23:57:45 - (000002) Received file c:\bilder\hotgirl.jpg
successfully (147 Kb/sec - 44015 bytes)
[4] Sun 19Sep99 00:00:17 - (000002) Receiving file c:\secret.txt
[4] Sun 19Sep99 00:00:18 - (000002) Received file c:\secret.txt
successfully (151 Kb/sec - 17577 bytes)
[5] Sun 19Sep99 00:00:33 - (000002) Closing connection for user
SYSADMIN (00:05:02 connected)
[5] Sun 19Sep99 02:07:22 - (000004) Connected to 90.0.0.3 (Local
address 90.0.0.1)
[6] Sun 19Sep99 02:07:22 - (000004) 220 Serv-U FTP-Server v2.5f
for WinSock ready...
[5] Sun 19Sep99 02:07:22 - (000004) IP-Name: Owner
[2] Sun 19Sep99 02:07:41 - (000004) USER Max
[6] Sun 19Sep99 02:07:41 - (000004) 331 User name okay, need
password.
[2] Sun 19Sep99 02:07:44 - (000004) PASS
xxxx
[5] Sun 19Sep99 02:07:44 - (000004) User MAX logged in
[6] Sun 19Sep99 02:07:44 - (000004) 230 User logged in, proceed.
[2] Sun 19Sep99 02:07:59 - (000004) PORT 90,0,0,3,4,16
[6] Sun 19Sep99 02:07:59 - (000004) 200 PORT Command successful.
[2] Sun 19Sep99 02:07:59 - (000004) RETR secret.txt
[6] Sun 19Sep99 02:08:00 - (000004) 150 Opening ASCII mode data
connection for secret.txt (17577 bytes).
[3] Sun 19Sep99 02:08:00 - (000004) Sending file c:\secret.txt
[3] Sun 19Sep99 02:08:00 - (000004) Sent file c:\secret.txt
successfully (223 Kb/sec - 17577 bytes)
[6] Sun 19Sep99 02:08:00 - (000004) 226 Transfer complete.
[2] Sun 19Sep99 02:09:38 - (000004) PORT 90,0,0,3,4,17
[6] Sun 19Sep99 02:09:38 - (000004) 200 PORT Command successful.
[2] Sun 19Sep99 02:09:38 - (000004) STOR secret2.txt
[6] Sun 19Sep99 02:09:38 - (000004) 150 Opening ASCII mode data
connection for secret2.txt.
[4] Sun 19Sep99 02:09:38 - (000004) Receiving file c:\secret2.txt
[4] Sun 19Sep99 02:09:38 - (000004) Received file c:\secret2.txt
successfully (9.06 Kb/sec - 742 bytes)
[6] Sun 19Sep99 02:09:38 - (000004) 226 Transfer complete.
[2] Sun 19Sep99 02:09:44 - (000004) QUIT
[6] Sun 19Sep99 02:09:44 - (000004) 221 Goodbye!
[5] Sun 19Sep99 02:09:44 - (000004) Closing
connection for user MAX (00:02:22 connected)
[5] Sun 19Sep99 03:00:18 - (000005) Connected to 149.225.52.143 (Local
address 90.0.0.1)
[6] Sun 19Sep99 03:00:18 - (000005) 220 Serv-U FTP-Server v2.5f
for WinSock ready...
[5] Sun 19Sep99 03:00:18 - (000005) IP-Name: UNKNOWN
[2] Sun 19Sep99 03:00:23 - (000005) USER Anonymous
[6] Sun 19Sep99 03:00:23 - (000005) 331 User name okay, please
send complete E-mail address as password.
[2] Sun 19Sep99 03:00:29 - (000005) PASS lame@over.de
[5] Sun 19Sep99 03:00:29 - (000005) ANONYMOUS logged in, password:
LAME@OVER.DE
[6] Sun 19Sep99 03:00:29 - (000005) 230 User logged in, proceed.
[2] Sun 19Sep99 03:00:38 - (000005) CWD C:\
[6] Sun 19Sep99 03:00:38 - (000005) 250 Directory changed to /c:/
[2] Sun 19Sep99 03:00:49 - (000005) PORT 149.225.52.143,19
[6] Sun 19Sep99 03:00:49 - (000005) 200 PORT Command successful.
[2] Sun 19Sep99 03:00:49 - (000005) NLST *.log
[6] Sun 19Sep99 03:00:49 - (000005) 150 Opening ASCII mode data
connection for /bin/ls.
[6] Sun 19Sep99 03:00:49 - (000005) 226 Transfer complete.
[2] Sun 19Sep99 03:00:55 - (000005) PORT 149.225.52.143,4,20
[6] Sun 19Sep99 03:00:55 - (000005) 200 PORT Command successful.
[2] Sun 19Sep99 03:00:55 - (000005) RETR ftp.log
[6] Sun 19Sep99 03:00:55 - (000005) 150 Opening ASCII mode data
connection for ftp.log (4354 bytes).
[3] Sun 19Sep99 03:00:55 - (000005) Sending file c:\ftp.log
Shadow Max