Yesterday came another round of break-in attempts (all from the same person). Reported to the FBI:

elsmar.com login failures:
Sep 15 17:04:38 elsmar proftpd[24255]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:04:49 elsmar proftpd[24311]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:05:04 elsmar proftpd[24419]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:05:10 elsmar proftpd[24716]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:05:25 elsmar proftpd[24791]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:05:37 elsmar proftpd[24936]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:05:40 elsmar proftpd[24954]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:05:52 elsmar proftpd[25067]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:06:24 elsmar proftpd[25324]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:06:29 elsmar proftpd[25346]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:06:42 elsmar proftpd[25404]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:06:51 elsmar proftpd[25521]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:06:53 elsmar proftpd[25545]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:03 elsmar proftpd[25605]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:07 elsmar proftpd[25668]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:18 elsmar proftpd[25711]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:22 elsmar proftpd[25762]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:27 elsmar proftpd[25836]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:33 elsmar proftpd[25868]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:38 elsmar proftpd[25909]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:07:55 elsmar proftpd[26003]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.
Sep 15 17:08:01 elsmar proftpd[26147]: elsmar.com (212.202.36.38[212.202.36.38]) - USER www (Login failed): Incorrect password.

-- End of security output --

Identified as:

domain: qsc.de
descr: QSC AG
descr: Mathias-Brueggen-Str. 55
descr: D-50829 Koeln
descr: Germany
nserver: ns01.qsc.de 213.148.129.11
nserver: ns02.qsc.de 213.148.130.11
status: connect
changed: 20030210 165502
source: DENIC

[admin-c]
Type: PERSON
Name: Christian Ebert
Address: QSC AG
Address: Mathias-Brueggen-Str. 55
City: Koeln
Pcode: 50829
Country: DE
Changed: 20020228 093428
Source: DENIC

[tech-c][zone-c]
Type: ROLE
Name: QSC Hostmaster
Address: QSC AG
Address: Mathias-Brueggen-Str. 55
City: Koeln
Pcode: 50829
Country: DE
Phone: +49 221 66 98 000
Fax: +49 221 66 98 009
Email: kontakt@qsc.de
Changed: 20020228 094104
Source: DENIC

Could this be someone who's forgotten his/her correct password and trying different variations???

Trying to get root access to the server is NOT someone trying to log into the forums who forgot their password. Those attempts are logged separately.

Nope - the above is typical of someone attempting to get root access. It is an attempt to access the server as ROOT via telnet - not http.

Right. (I must be dreaming...) User www and it looks like FTP login attempt!

If it was ftp failures, I *think* (I'm still learning) it would read sftp-server rather than proftpd. As I understand it, this log (it's a daily log) only records failures of telnet login attempts.

tcsh and sshd are user telnet (unsecure) logins which cannot gain root access.

Schuhmachers AG für Finanzmarketing
Investor-Relations-Partner of QSC AG QSC AG
Investor Relations
qsc@schumachers.net invest@qsc.de
Prinzregentenstraße 68 Mathias-Brüggen-Straße 55
D-81675 Munich D-50829 Cologne
Tel.: +49 (0) 89 - 48 92 72 -0 Tel.: +49 (0) 221 - 66 98 -1 12
Fax: +49 (0) 89 - 48 92 72 -12 Fax: +49 (0) 221 - 66 98 -0 09

This is the link to their website. The name in bold is the same as listed in Marc's report. Maybe they want to see how profitable the Cove is.:)

Probably a script kiddy who routed him/her self through an open proxy on their network. But I don't know enough about cracking servers to spit at - I'm guessing.

Profitable - um, not. More on that later in another thread.

I think it would be a good idea to have a look at QSC AG (http://www.qsc.de/). Considering what they do for a living they ought to be able to take prompt action...

More info here: http://www.ripe.net/perl/whois?searchtext=QSC1-RIPE&form_type=simple . Even a request to report hacks...:

role: QSC Internet Services
address: QSC AG
address: Mathias-Brueggen-Str. 55
address: D-50829 Koeln
address: Germany
phone: +49 221 66 98 000
fax-no: +49 221 66 98 009
e-mail: abuse@qsc.de
remarks: ********************************************
remarks: QSC AG - Internet Services Department
remarks: To report SPAM/UCE/Portscans/Hacks please
remarks: contact abuse@qsc.de.
remarks: For peering requests, BGP policy changes
remarks: etc. contact peering@NOSPAM.qsc.de. For
remarks: Routing issues id-ip@NOSPAM.qsc.de. Please
remarks: remove NOSPAM. from email address.
remarks: ********************************************
....


/Claes

I e-mailed them the log file with routing info this morning advising them of the attempt, and there is an FBI link where I also reported it.

I'll check out the link you posted.