FTP attempts
I walked the FTP logs for a change – it’s very quiet and I don’t bother too much about script kiddies – the vast majority of the attampts are from scripts, and most of them rely on either badly configured Windows systems running the low-end version of IIS (or using Frontpage), and Linux boxes. Like this one a week ago:
In operator.log the attempt to create a directory showed up:
%%%%%%%%%%% OPCOM 20-AUG-2007 21:58:11.02 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: M2147P027.adsl.highway.telekom.at
Status: NOPRIV -- File access violation
Object: WEB_DISK2:[public.anonymous.070820225850p]
Anonymous_ftp.log shows his login and just a few lines – not all:
20-AUG-2007 21:58:09.46 User:anonymous logged in ident:Jgpuser@home.com from Host:M2147P027.adsl.highway.telekom.at
20-AUG-2007 21:58:10.91 User:anonymous ident:Jgpuser@home.com status:00010001 CWD dir:WEB_DISK2:[public.anonymous]
20-AUG-2007 21:58:12.30 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]tagged
20-AUG-2007 21:58:12.38 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]Tagged
20-AUG-2007 21:58:12.45 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]TaGGeD
20-AUG-2007 21:58:12.52 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]data
20-AUG-2007 21:58:12.58 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]Data
20-AUG-2007 21:58:12.66 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]^%
20-AUG-2007 21:58:12.72 User:anonymous ident:Jgpuser@home.com logged out
3 seconds – according this log, and one that is seen more often. The full FTP_run.log shows the script tried Windows and Linus default locations – and the failed attempt to create a directory, before the above were tried:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from M2147P027.adsl.highway.telekom.at at 20-AUG-2007 21:58:09.08
%TCPIP-I-FTP_NODE, client host name: M2147P027.adsl.highway.telekom.at
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /public/
next, the attempt to create the directory:
%TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.070820225850p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC000EE: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: M2147P027.adsl.highway.telekom.at
%TCPIP-I-FTP_USER, user name: anonymous
which is signalled in OPERATOR.LOG. It goes on: accessing non-existing directories (either Windows or Linux based):
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /home/
and finally the ones signalled in anonymous_ftp.log:
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]tagged
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]Tagged
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]TaGGeD
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]data
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]Data
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]^%
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from M2147P027.adsl.highway.telekom.at at 20-AUG-2007 21:58:12.75
There have been more accesses but these seemed to cut the connection:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 57.c-servers.com at 21-AUG-2007 16:29:30.44
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from unknown76.120.65.69.defenderhosting.com at 21-AUG-2007 19:55:13.88
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 202.62.224.90 at 23-AUG-2007 12:06:20.27
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from us1.dnsbu.com at 23-AUG-2007 16:12:06.56
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 69.1.239.133 at 23-AUG-2007 17:40:18.96
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from us1.dnsbu.com at 24-AUG-2007 00:03:16.19
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 78.129.138.101 at 25-AUG-2007 15:08:13.28
The weblog shows it’s finally realised that overrun attempts will surely fail. That FORUM has been disabled shows up in the log: last week gave just one attempt to push a fake registration directly, and one address tried twice – 3 times at a row – to do so by querying the site, and gave up:
219.207.8.140 - - [21/Aug/2007:01:10:03 +0100] "GET http://www.grootersnet.nl/forums/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 403 864
...
66.232.125.138 - - [21/Aug/2007:01:10:29 +0100] "GET http://www.grootersnet.nl/ HTTP/1.0" 403 864
66.232.125.138 - - [21/Aug/2007:01:10:30 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748
66.232.125.138 - - [21/Aug/2007:01:10:31 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748
66.232.125.138 - - [21/Aug/2007:01:10:31 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748
...
66.232.125.138 - - [22/Aug/2007:02:10:56 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748
66.232.125.138 - - [22/Aug/2007:02:10:57 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748
66.232.125.138 - - [22/Aug/2007:02:10:58 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748
There have also been some other attempts I’ve seen before:
193.195.42.197 - - [25/Aug/2007:00:40:33 +0100] "GET /%20+%20/ HTTP/1.0" 404 868
85.17.181.227 - - [25/Aug/2007:06:45:35 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 893
85.17.181.227 - - [25/Aug/2007:06:46:43 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 893
62.193.242.99 - - [25/Aug/2007:15:55:18 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 893
The errors (4xx) show these all failed. Of course.
I want to make some fun: I’m thinking of creating a file Docroot:[w00tw00t.at.ISC.SANS.DFind]Ãndex.html” or redirect that location to “Noservice”.
See what happens…