It has been months ago that an attempt to abuse the anonymous FTP account, but in yesterday’s log, there is one:
%%%%%%%%%%% OPCOM 10-MAR-2007 21:53:19.82 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: host104-231-static.110-62-b.business.telecomitalia.it
Status: NOPRIV -- File access violation
Object: WEB_DISK2:[public.anonymous.070310215318p]
In FTP’s run-log, this attempt is shown in full. For readability, I lefy out (as usual) all extra lines, just showing what’s been attempted:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from host104-231-static.110-62-b.business.telecomitalia.it at 10-MAR-2007 21:53:16.17
%TCPIP-I-FTP_NODE, client host name: host104-231-static.110-62-b.business.telecomitalia.it
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00062: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
%TCPIP-I-FTP_NODE, client host name: host104-231-static.110-62-b.business.telecomitalia.it
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00062: Failed to set default directory
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.070310215318p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00062: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: host104-231-static.110-62-b.business.telecomitalia.it
%TCPIP-I-FTP_USER, user name: anonymous
This is the one that shows up in operator.log. The attemps in last months did not attempt to create a directory so that will be the reason the attempt doesn’t show up in operartor.log
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]tagged
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]Tagged
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]TaGGeD
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]data
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]Data
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]^%
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from host104-231-static.110-62-b.business.telecomitalia.it at 10-MAR-2007 21:53:23.22
A script, no doubt, and not a very clever one either. No-one is able to type all these attempts within a minute.
The ISP (telecomitalia.it) will be notified.