Posted on

18-Aug-2007

FTP access
has been tried several times last month, the logfiles are properly copied to the web but therew were quite a lot of much older files, with higher version numbers – and the highst number is only acecssed when specifying a file without a version number. So I never saw what happened, except for what was found in operator.log.
In the webs, there is no more path available to the anonymous FTP location since 01-aug-2007, and 31-Jul-2007 actually IS the last date Google accessed it:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from crawl-66-249-66-211.googlebot.com at 31-JUL-2007 12:06:42.55
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from crawl-66-249-66-211.googlebot.com at 31-JUL-2007 12:06:43.26
Good.
Since that date, access is almost daily, and, in some, abusive:
01-aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from mail.infordomain.net at 1-AUG-2007 16:42:21.67
02-aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 202.47.240.101 at 2-AUG-2007 00:22:47.10
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 86-39-130-45.realroot.be at 2-AUG-2007 10:19:56.46
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 203.243.165.41 at 2-AUG-2007 13:44:57.81
03-aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 211.234.98.162 at 3-AUG-2007 16:40:06.17
04-aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from melon.cs.pusan.ac.kr at 4-AUG-2007 12:47:17.52
05-aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 209.200.85.174 at 5-AUG-2007 07:08:45.74
%TCPIP-I-FTP_NODE, client host name: 209.200.85.174
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.070804230739p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC000D4: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation

Of course: protection is (S:RWE,O:RWE, G:RE, W:RE)

%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /~tmp/
%TCPIP-I-FTP_OBJ, object: /.tmp/
%TCPIP-I-FTP_OBJ, object: /_tmp/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /vti_test/
%TCPIP-I-FTP_OBJ, object: /_vti_script/
%TCPIP-I-FTP_OBJ, object: /scripst/
%TCPIP-I-FTP_OBJ, object: /bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /c:/

Thinking this is a Windows box?? Read the site info!

%TCPIP-I-FTP_OBJ, object: / /
%TCPIP-I-FTP_OBJ, object: /admin/
%TCPIP-I-FTP_OBJ, object: /admin1/
%TCPIP-I-FTP_OBJ, object: /administrator/
%TCPIP-I-FTP_OBJ, object: /administrator1/
%TCPIP-I-FTP_OBJ, object: /webmaster/
%TCPIP-I-FTP_OBJ, object: /webadmin/
%TCPIP-I-FTP_OBJ, object: /domains/
%TCPIP-I-FTP_OBJ, object: /webroot/
%TCPIP-I-FTP_OBJ, object: /domain/
%TCPIP-I-FTP_OBJ, object: /wwwroot/inetpub/
%TCPIP-I-FTP_OBJ, object: /vhost/
%TCPIP-I-FTP_OBJ, object: /vhosts/
%TCPIP-I-FTP_OBJ, object: /test/
%TCPIP-I-FTP_OBJ, object: /test1/
%TCPIP-I-FTP_OBJ, object: /backup/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /website/
%TCPIP-I-FTP_OBJ, object: /websites/
%TCPIP-I-FTP_OBJ, object: /site/
%TCPIP-I-FTP_OBJ, object: /sites/
%TCPIP-I-FTP_OBJ, object: /www/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /htm/
%TCPIP-I-FTP_OBJ, object: /root/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /aspnet_client/
%TCPIP-I-FTP_OBJ, object: /web/
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from 209.200.85.174 at 5-AUG-2007 07:08:57.42
06-Aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 2.129.129.219.broad.hy.gd.dynamic.163data.com.cn at 6-AUG-2007 00:02:06.40
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 203.243.165.41 at 6-AUG-2007 00:39:24.55
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 203.243.165.41 at 6-AUG-2007 18:32:15.35
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 77.250.151.72 at 6-AUG-2007 23:18:24.50
%TCPIP-I-FTP_NODE, client host name: 77.250.151.72
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.070807001834p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC000DA: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_cfg/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /public_html/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /web/
%TCPIP-I-FTP_OBJ, object: /www/
%TCPIP-I-FTP_OBJ, object: /html/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /~temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /~tmp/
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from 77.250.151.72 at 6-AUG-2007 23:18:47.55
07-Aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 218.25.11.172 at 7-AUG-2007 15:27:41.65
08-Aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from mail.infordomain.net at 8-AUG-2007 18:02:17.46
09-Aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from mail.infordomain.net at 9-AUG-2007 12:47:41.48
11-Aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 203.243.165.41 at 11-AUG-2007 13:39:51.04
12-Aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from leopard.icescreen.net at 12-AUG-2007 12:58:21.08
13-Aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 78.129.138.101 at 13-AUG-2007 22:07:46.14
15-Aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 78.129.138.101 at 15-AUG-2007 15:21:28.56
16-Aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from ns38828.ovh.net at 16-AUG-2007 13:02:24.36
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from dslb-088-065-218-138.pools.arcor-ip.net at 16-AUG 2007 17:56:57.23
%TCPIP-I-FTP_NODE, client host name: dslb-088-065-218-138.pools.arcor-ip.net
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.070816185627p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC000E3: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from dslb-088-065-218-138.pools.arcor-ip.net at 16-AUG-2007 17:56:58.38
17-Aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from gateway.ezbroadnet.com at 17-AUG-2007 04:43:04.44
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 78.129.138.101 at 17-AUG-2007 14:07:21.83
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from ns38828.ovh.net at 17-AUG-2007 20:25:06.14
%TCPIP-I-FTP_NODE, client host name: ns38828.ovh.net
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.070817212529p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC000E6: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /download/
%TCPIP-I-FTP_OBJ, object: /access/
%TCPIP-I-FTP_OBJ, object: /admin/
%TCPIP-I-FTP_OBJ, object: /administrator/
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from ns38828.ovh.net at 17-AUG-2007 20:25:07.21

Concised, that is, because I removed all obvious lines:
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC000E6: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
%TCPIP-I-FTP_NODE, client host name: (nodename)
%TCPIP-I-FTP_USER, user name: anonymous
and that saves a LOT of space…

Posted on

The price of being famous?

Once again, somone tries to get credentials using EBay-style messages.
ebay number 3

As usual, you should be alarmed by the full header:

Return-Path: member@ebay.com
Received: from mail.neel.net (71.165.245.13)
by xxxxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Sat, 18 Aug 2007 20:18:13 +0100 (CET)
Received: from User ([202.28.4.25])
by mail.neel.net (Merak 7.6.2) with ASMTP id EAA74438;
Thu, 16 Aug 2007 13:13:34 -0700
From: "ebay"<member@ebay.com>
Subject: confirm your email address on file at eBay
Date: Thu, 16 Aug 2007 11:15:32 +0700
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Outlook Express – so BASIC Internet Explorer – I’m not fooled by such stupidity.
no TO line, and the message actually states:
For security reasons your registered name and email is not included.
Makes sense – since they don’t know it. They want you to supply it to them – and your password….

The mailserver has little or nothing to do with EBay: it’s a Verizon address:

$ dig -x 71.165.245.13

; < <>> DiG 9.3.1 < <>> -x 71.165.245.13
;; global options: printcmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 17107 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;13.245.165.71.in-addr.arpa. IN PTR ;; ANSWER SECTION: 13.245.165.71.in-addr.arpa. 69628 IN PTR mail.neel.net. ;; AUTHORITY SECTION: 245.165.71.in-addr.arpa. 69628 IN NS ns2.verizon.net. 245.165.71.in-addr.arpa. 69628 IN NS ns2.bellatlantic.net. 245.165.71.in-addr.arpa. 69628 IN NS ns4.verizon.net. 245.165.71.in-addr.arpa. 69628 IN NS ns1.bellatlantic.net.

EBay may relay over Verizon or Bell Atlantic, but given the sender is from Thailand:

$ dig -x 202.28.4.25

; < <>> DiG 9.3.1 < <>> -x 202.28.4.25
;; global options: printcmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 15689 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;25.4.28.202.in-addr.arpa. IN PTR ;; ANSWER SECTION: 25.4.28.202.in-addr.arpa. 86400 IN PTR libmod25.lib.kmutt.ac.th. ;; AUTHORITY SECTION: 4.28.202.in-addr.arpa. 86400 IN NS libmod.lib.kmutt.ac.th.

I have my doubts.

More important: the links for your email contain a link that is NOT Ebay at all:
<div><FONT face="Arial, Verdana" size=2>To confirm your email address on file at eBay, just click the button to the right: </FONT></div> <div><FONT face="Arial, Verdana" size=2>You can also copy and paste the following link into your web browser: <BR><A onclick="return top.js.OpenExtLink(window,event,this)" href="http://0xcfead15b/signin.ebay.com/ws/index.htm"
target=_blank>http://cgi4.ebay.com/ws<WBR>/eBayISAPI.dll?ChangeEmailConfi<WBR>rm</A>
The address is coded in HEX: 0xcfead15b, and this translates to 207.234.209.91. This is the owner of the addres:
Affinity Internet, Inc AFFINITY-207-234-128-0 (NET-207-234-128-0-1)
207.234.128.0 - 207.234.255.255
Affinity Internet, Inc AFFINITY-DEDIATED-207-234-209-0 (NET-207-234-209-0-1)
207.234.209.0 - 207.234.209.255