For a while now, trojans, and the botnets they work for, have employed several techniques for stealing FTP credentials. Whether it be through sniffing unencrypted FTP traffic, grabbing credentials from saved password files from popular FTP clients, or brute-forcing weak passwords on the server, as a server administrator, having a user’s FTP account compromised is something you would want to detect as early as humanly possible.
I have witnessed quite a few of these compromised accounts, and every time, it seems that there are many logins from many different countries into the account, presumably, by botnet drones dropping all sorts of malware or who knows what else.
This actually makes it fairly easy to write a little script to detect whether an account has been compromised, simply by looking at from how many different countries it has been accessed.
Granted, some people may travel, but most people will not travel to more than 10 countries in a short amount of time.
Thus I have written a perl script that can be used as a nagios sensor, which will grab the `last` output, and do a geoip lookup (using the geoiplookup utility) for each IP address. Then count the number of different countries, and depending on the warning / critical flags, will return the appropriate return value.
# ./check_login User 'weakling' has logins from 33 countries: Egypt Bolivia Taiwan Australia Sweden Switzerland Pakistan Dominican Canada China Peru Indonesia Vietnam Honduras Portugal Trinidad Grenada Turkey Serbia Korea, Mexico United Colombia Brazil Bahrain Japan France Mali South Poland Slovenia India - CRITICAL
Grab it here.