Posted on by SYSMGR

Mail and FTP

Mail
One address: 202.180.255.100 sent a message each minute between 09:15 end 22:30 yesterday. I don’t expect a regular buisness being the source, WHOIS tells:

% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 202.180.224.0 - 202.180.255.255
netname: UCMS
descr: United Customer Management Solutions
descr: Melbourne
country: AU
admin-c: CB29-AP
tech-c: CB29-AP

so their system may be hacked or infected. But as I found the bombardment finished all of a sudden, they might have found out.
FTP
Now I can access the FTP logs properly, I could take a look to them, and found no real surprises. The log shows a few usual attempts to access the server for abusive reasons. At least, it looks like it:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 84.51.241.54 at 31-JAN-2007 17:50:27.05
%TCPIP-I-FTP_NODE, client host name: 84.51.241.54
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00007: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file formatand the same for:
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: SYS$LOGIN:Well, someone who knows something, but quite likely just the basic bits
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /download/
%TCPIP-I-FTP_OBJ, object: /admin/
%TCPIP-I-FTP_OBJ, object: /administrator/and then gave up
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from 84.51.241.54 at 31-JAN-2007 17:50:39.48

A few days later, an old “friend” tried it again. I’ve seen this one before:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from pD9ED5E59.dip.t-dialin.net at 1-FEB-2007 09:19:15.93
%TCPIP-I-FTP_NODE, client host name: pD9ED5E59.dip.t-dialin.net
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00009: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
%TCPIP-I-FTP_NODE, client host name: pD9ED5E59.dip.t-dialin.net, and tried also to access:
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: SYS$LOGIN:
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /tagged/
%TCPIP-I-FTP_OBJ, object: /Tagged/
%TCPIP-I-FTP_OBJ, object: /TaGGeD/
%TCPIP-I-FTP_OBJ, object: /data/
%TCPIP-I-FTP_OBJ, object: /Data/
%TCPIP-I-FTP_OBJ, object: /%/
%TCPIP-I-FTP_OBJ, object: /www/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: / /and gave up
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from pD9ED5E59.dip.t-dialin.net at 1-FEB-2007 09:19:25.98
As said – I’ve seen this one before.
After two nights sleep, another connection from the same network tried a similar script:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from p54BE222A.dip0.t-ipconnect.de at 3-FEB-2007 11:04:33.00
%TCPIP-I-FTP_NODE, client host name: p54BE222A.dip0.t-ipconnect.de
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0000E: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
%TCPIP-I-FTP_NODE, client host name: p54BE222A.dip0.t-ipconnect.deto most other “well known” standard locations:
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: SYS$LOGIN:
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT:[000000]tagged
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT:[000000]Tagged
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT:[000000]TaGGeD
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT:[000000]data
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT:[000000]Data
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT:[000000]%and disconnected, no harm done
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from p54BE222A.dip0.t-ipconnect.de at 3-FEB-2007 11:04:37.29
and a few more like this, like
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from pb115.gostyn.sdi.tpnet.pl at 28-FEB-2007 14:38:53.17
%TCPIP-I-FTP_NODE, client host name: pb115.gostyn.sdi.tpnet.pl
...
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from pb115.gostyn.sdi.tpnet.pl at 28-FEB-2007 14:38:59.78
Guessing passwords over FTP?
However, there was one type of access attempt, that I found in failed logins last year:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from jbonofre.net1.nerim.net at 11-FEB-2007 01:26:43.59
%TCPIP-E-FTP_LOGFAL, remote interactive login failure Administrator
-TCPIP-I-FTP_NODE, client host name: jbonofre.net1.nerim.net
-LOGIN-F-NOSUCHUSER, no such user
...
%TCPIP-E-FTP_LOGFAL, remote interactive login failure root
-TCPIP-I-FTP_NODE, client host name: jbonofre.net1.nerim.net
-LOGIN-F-NOSUCHUSER, no such user
...
%TCPIP-E-FTP_LOGFAL, remote interactive login failure admin
-TCPIP-I-FTP_NODE, client host name: jbonofre.net1.nerim.net
-LOGIN-F-NOSUCHUSER, no such user
...
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from p54BE4B6C.dip0.t-ipconnect.de at 12-FEB-2007 08:36:48.29
I haven’t counted the entries – but there are hundreds of them. Probably a “brute force” attempt of guessing passwords?? No use if the USER doesn’t exists!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.