Another FTP script
They come and go. There has been another attempt to access Diana as if it were a Windows or Linux box:
%%%%%%%%%%% OPCOM 10-OCT-2007 22:56:22.43 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: s12.mgw-servers.de
Status: NOPRIV -- File access violation
Object: WEB_DISK2:[public.anonymous.071010235608p]
It took less than a minute.
The script starts with creating a directory – whci, of course, fails:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from s12.mgw-servers.de at 10-OCT-2007 22:56:21.45
%TCPIP-I-FTP_NODE, client host name: s12.mgw-servers.de
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.071010235608p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0000D: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: s12.mgw-servers.de
and next, a larger list of directories is accessed:
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /public_html/
%TCPIP-I-FTP_OBJ, object: /public_ftp/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /tagged/
%TCPIP-I-FTP_OBJ, object: / /
%TCPIP-I-FTP_OBJ, object: /%/
%TCPIP-I-FTP_OBJ, object: /data/
%TCPIP-I-FTP_OBJ, object: /inetpub/
%TCPIP-I-FTP_OBJ, object: /Tagged/
%TCPIP-I-FTP_OBJ, object: /TaGGeD/
%TCPIP-I-FTP_OBJ, object: /income/
%TCPIP-I-FTP_OBJ, object: /recieved/
%TCPIP-I-FTP_OBJ, object: /download/
%TCPIP-I-FTP_OBJ, object: /My Shared Folder/
%TCPIP-I-FTP_OBJ, object: /_kurdt/
%TCPIP-I-FTP_OBJ, object: /.htaccess/
%TCPIP-I-FTP_OBJ, object: /.private/
%TCPIP-I-FTP_OBJ, object: /~tmp/
%TCPIP-I-FTP_OBJ, object: /~temp/
%TCPIP-I-FTP_OBJ, object: /html/
%TCPIP-I-FTP_OBJ, object: /www/
%TCPIP-I-FTP_OBJ, object: /web/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_txt/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_log/
%TCPIP-I-FTP_OBJ, object: /anonymous/outgoing/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /_vti_cfg/
%TCPIP-I-FTP_OBJ, object: /site/
%TCPIP-I-FTP_OBJ, object: /page/
%TCPIP-I-FTP_OBJ, object: /ftp/
%TCPIP-I-FTP_OBJ, object: /new/
%TCPIP-I-FTP_OBJ, object: /root/
%TCPIP-I-FTP_OBJ, object: /stuff/
%TCPIP-I-FTP_OBJ, object: /dir/
%TCPIP-I-FTP_OBJ, object: /dirs/
%TCPIP-I-FTP_OBJ, object: /pass/
%TCPIP-I-FTP_OBJ, object: /log/
%TCPIP-I-FTP_OBJ, object: /folder/
%TCPIP-I-FTP_OBJ, object: /recycler/
%TCPIP-I-FTP_OBJ, object: /sql/
%TCPIP-I-FTP_OBJ, object: /MS_OFFICE2K/
%TCPIP-I-FTP_OBJ, object: /Printer Drivers/
%TCPIP-I-FTP_OBJ, object: /ww/
%TCPIP-I-FTP_OBJ, object: /webctrlsamp/
%TCPIP-I-FTP_OBJ, object: /web/
%TCPIP-I-FTP_OBJ, object: /bin/
%TCPIP-I-FTP_OBJ, object: /OFFICE/
%TCPIP-I-FTP_OBJ, object: /bilder/
%TCPIP-I-FTP_OBJ, object: /admin/
%TCPIP-I-FTP_OBJ, object: /file/
%TCPIP-I-FTP_OBJ, object: /img/
%TCPIP-I-FTP_OBJ, object: /logging/
%TCPIP-I-FTP_OBJ, object: /website/
%TCPIP-I-FTP_OBJ, object: /site/
%TCPIP-I-FTP_OBJ, object: /inetpub/wwwroot/
%TCPIP-I-FTP_OBJ, object: /inetpub/www/
%TCPIP-I-FTP_OBJ, object: /wwwroot/www/
%TCPIP-I-FTP_OBJ, object: /dump/
%TCPIP-I-FTP_OBJ, object: /de/
%TCPIP-I-FTP_OBJ, object: /sitedump/
%TCPIP-I-FTP_OBJ, object: /archives/
%TCPIP-I-FTP_OBJ, object: /WUTemp/
%TCPIP-I-FTP_OBJ, object: /win.asp/
%TCPIP-I-FTP_OBJ, object: /inetpub/
%TCPIP-I-FTP_OBJ, object: /en/
%TCPIP-I-FTP_OBJ, object: /lang/
%TCPIP-I-FTP_OBJ, object: /language/
%TCPIP-I-FTP_OBJ, object: /WinNT/
%TCPIP-I-FTP_OBJ, object: /WINDOWS/
All fail because of ” invalid directory syntax”
It might be that the script tries to PUSH data onto the system, not GET. The log does not mention it.
I tried the source. This seems to be a start-up company, stating to be (translated from German) “A company of today with the technology and know-how of tomorrow”. Their website isn’t ready yet.
Nor is their security.
If this is tomorrow’s technology and know-how, I have no confidence in it. My quite basic, 30-year old OpenVMS installation does a much better job without the fancy stuff.
I have signalled the attempt to them. Wait and seen what comes out of it.
UPDATE
I got a message stating it should be sent to their ABUSE address, so I did. From there, I got the message the message was forwarded to their customer. It might be genuine but what if that customer caused the problems?