Some keep trying

Just one tried to get into the anonymous area yesterday – this is what OPERATOR.LOG tells:
%%%%%%%%%%% OPCOM 13-FEB-2007 04:15:37.63 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: p548C9062.dip0.t-ipconnect.de
Status: NOPRIV -- File access violation
Object: WEB_DISK2:[public.anonymous.070213041515p]


It has been a long time since I saw these messages. Checking the looging of anonymous FTP, there have been some atempts but it’s all very, very quiet here. However, for some reason the logfiles do not show up in the operator desk, so that’s something to look into.
The oldest – after the link from the main page has been removed – goes back to 13-Nov-2006, and once in a while, once or wtice a month, someone comes along to try to host some files. But the area is set to be read_only so that is bound to fail. Since most don’t have a clue what they’re doing, they try to access “standard” files. That is: standrad for Linix or Windows, or some packages.

13-FEB-2007 04:15:36.20 User:anonymous logged in ident:Agpuser@home.com from Host:p548C9062.dip0.t-ipconnect.de
13-FEB-2007 04:15:37.54 User:anonymous ident:Agpuser@home.com status:00010001 CWD dir:WEB_DISK2:[public.anonymous]
13-FEB-2007 04:15:39.24 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]tagged
13-FEB-2007 04:15:39.32 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]Tagged
13-FEB-2007 04:15:39.40 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]TaGGeD
13-FEB-2007 04:15:39.48 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]data
13-FEB-2007 04:15:39.57 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]Data
13-FEB-2007 04:15:39.65 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]^%
13-FEB-2007 04:15:39.74 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$SCRATCH^:
13-FEB-2007 04:15:39.82 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]T^^^@gged
13-FEB-2007 04:15:39.90 User:anonymous ident:Agpuser@home.com logged out

The same is observered on web access, at some times. The latest proof from last week’s log:

219.122.14.36 - - [07/Feb/2007:19:16:28 +0100] "GET /thisdoesnotexistahaha.php HTTP/1.1" 302 360
219.122.14.36 - - [07/Feb/2007:19:16:28 +0100] "GET /cmd.php HTTP/1.1" 302 360
219.122.14.36 - - [07/Feb/2007:19:16:29 +0100] "GET /cacti/cmd.php HTTP/1.1" 302 360
219.122.14.36 - - [07/Feb/2007:19:16:30 +0100] "GET /portal/cacti/cmd.php HTTP/1.1" 302 360
219.122.14.36 - - [07/Feb/2007:19:16:30 +0100] "GET /portal/cmd.php HTTP/1.1" 302 360
219.122.14.36 - - [07/Feb/2007:19:16:31 +0100] "GET /stats/cmd.php HTTP/1.1" 302 360

but some will drop their attempt directly:
213.247.43.35 - - [11/Feb/2007:07:25:24 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 893

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.