I have been reviewing my auth.log file on my server and have been noticing an increasing amount of breakin attempts to my FTP and SSH servers. The IPs the attacks generate from can be traced back to China, Russia or South America using a reverse ip lookup. I am sure this is just a proxy the attacker is using to mask his real location. I can only speculate as to the intention of these various attackers. My hypothesis is the attackers are trying to create a botnet they can use for phishing / spam/ DDoS attacks.
My plan is to create a virtual machine using VirtualBox with LAMP, FTP and SSH installed.
It will be located in a DMZ (all ports open)
I will create accounts with easily hackable passwords such as: username admin / password: admin ; username: admin / password: password
If things get really out of hand I can just close the virtual machine or just take the IP out of the DMZ and back behind my firewall. I will be starting on this project very soon. Once it gets going I will copy some of the output from my log files so it can be shown exactly what these guys are trying to do. Look for an update soon.
