Found this in operator.log:
%%%%%%%%%%% OPCOM 29-DEC-2007 21:23:47.65 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: goldzulu.takethishost.net
Status: NOPRIV -- File access violation
Object: WEB_DISK2:[public.anonymous.test]
FTP log shows he made just one attempt and left:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from goldzulu.takethishost.net at 29-DEC-2007 21:23:46.40
%TCPIP-I-FTP_NODE, client host name: goldzulu.takethishost.net
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.test]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00036: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from goldzulu.takethishost.net at 29-DEC-2007 21:23:47.81
Mind the domain name: I would not expect such honesty on the intentions from a malicious user!
Believe it or not: the node and domain leads to an address in the US, and dig gave this info on the host:
$ dig goldzulu.takethishost.net
; < <>> DiG 9.3.1 < <>> goldzulu.takethishost.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 54539
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1
;; QUESTION SECTION:
;goldzulu.takethishost.net. IN A
;; ANSWER SECTION:
goldzulu.takethishost.net. 900 IN A 66.98.228.61
;; AUTHORITY SECTION:
takethishost.net. 14400 IN NS ns1.takethishost.net.
takethishost.net. 14400 IN NS ns2.takethishost.net.
takethishost.net. 14400 IN NS ns3.takethishost.net.
;; ADDITIONAL SECTION:
ns3.takethishost.net. 14400 IN A 209.85.25.142
;; Query time: 796 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 31 16:23:23 2007
;; MSG SIZE rcvd: 129
and on the address:
$ dig -x 66.98.228.61
; < <>> DiG 9.3.1 < <>> -x 66.98.228.61
;; global options: printcmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 8305
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;61.228.98.66.in-addr.arpa. IN PTR
;; ANSWER SECTION:
61.228.98.66.in-addr.arpa. 86400 IN PTR goldzulu.takethishost.net.
;; AUTHORITY SECTION:
228.98.66.in-addr.arpa. 259200 IN NS ns1.ev1servers.net.
228.98.66.in-addr.arpa. 259200 IN NS ns2.ev1servers.net.
;; ADDITIONAL SECTION:
ns1.ev1servers.net. 172800 IN A 207.218.245.135
ns2.ev1servers.net. 172800 IN A 207.218.247.135
;; Query time: 2718 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 31 16:20:18 2007
;; MSG SIZE rcvd: 161
WHOIS gave on the domain:
Whois Server Version 1.3
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: TAKETHISHOST.NET
Registrar: TUCOWS INC.
Whois Server: whois.tucows.com
Referral URL: http://domainhelp.opensrs.net
Name Server: NS1.TAKETHISHOST.NET
Name Server: NS2.TAKETHISHOST.NET
Status: ok
Updated Date: 03-jan-2007
Creation Date: 15-jan-2004
Expiration Date: 15-jan-2008
so it will expire within a few weeks. Probably hijacked? or deliberately setup for the porpose some time ago? Who knows..