Category: Security

Just three since last reboot.
The first to occur was rather standard – a script running just within 20 seconds:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 87-205-178-181.adsl.inetia.pl at 15-NOV-2007 07:43:23.94
%TCPIP-I-FTP_NODE, client host name: 87-205-178-181.adsl.inetia.pl
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.071115074346p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0000F: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: 87-205-178-181.adsl.inetia.pl
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_cfg/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /public_html/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /web/
%TCPIP-I-FTP_OBJ, object: /www/
%TCPIP-I-FTP_OBJ, object: /html/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /~temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /~tmp/
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/

%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from 87-205-178-181.adsl.inetia.pl at 15-NOV-2007 07:43:41.08

and two other ones, that broke and logged out on failure:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 91.186.25.132 at 15-NOV-2007 09:17:38.43
%TCPIP-I-FTP_NODE, client host name: 91.186.25.132
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.test]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00010: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from 91.186.25.132 at 15-NOV-2007 09:17:39.04

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 202.181.208.119 at 15-NOV-2007 19:47:28.53
%TCPIP-I-FTP_NODE, client host name: 202.181.208.119
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.test]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00011: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from 202.181.208.119 at 15-NOV-2007 19:47:31.94

Each failure in creating the directory is signalled in Operator.log.

If you run WordPress, take care on this issue:

How to access the database is stored in module wp-config.php, in your blogs root directory. This file needs to be readable by the PHP engine, based on the UIC. ACL’s are not enough, the current PHP implementation on VMS doesn’t take these in account.
Not that it would help much, since the PHP engine will run under the webserver’s account (or one closely related, depending on the server). in other words: the webserver will ba able to read the file.
So will any user, if he gains access to the file!
In itself, it doesn’t have to be a problem, but if for some reason, the used has access to the directory itself, your database is wide open.

To prevent this to happen, move database access data: the databnase name, username, password and host at least, eventually the suffix, from wp-config.php and store it in a separate file, that is then included in wp-config.php. Store the file in a location that is NOT accessable over the web.

An example: this is the original wp-config.php:

< ?php // ** MySQL settings ** // define('DB_NAME', 'WPDB'); // The name of the database define('DB_USER', 'MyBlogMgr'); // Your MySQL username define('DB_PASSWORD', 'MyDBPassword'); // ...and password define('DB_HOST', 'localhost'); // 99% chance you won't need to change this // You can have multiple installations in one database if you give each a uniqu $table_prefix = 'prfx_'; // Only numbers, letters, and underscores please! // Change this to localize WordPress. A corresponding MO file for the // chosen language must be installed to wp-includes/languages. // For example, install de.mo to wp-includes/languages and set WPLANG to 'de' // to enable German language support. define ('WPLANG', ''); /* That's all, stop editing! Happy blogging. */ define('ABSPATH', dirname(__FILE__).'/'); require_once(ABSPATH.'wp-settings.php'); ?>

This is the new one:

< ?php require_once('/closet/dbaccess.php'); // Change this to localize WordPress. A corresponding MO file for the // chosen language must be installed to wp-includes/languages. // For example, install de.mo to wp-includes/languages and set WPLANG to 'de' // to enable German language support. define ('WPLANG', ''); /* That's all, stop editing! Happy blogging. */ define('ABSPATH', dirname(__FILE__).'/'); require_once(ABSPATH.'wp-settings.php'); ?>

The included file “closet:dbaccess.php” contains the sensitive data:

< ?php // ** MySQL settings ** // define('DB_NAME', 'WPDB'); // The name of the database define('DB_USER', 'MyBlogMgr'); // Your MySQL username define('DB_PASSWORD', 'MyDBPassword'); // ...and password define('DB_HOST', 'localhost'); // 99% chance you won't need to change this // You can have multiple installations in one database if you give each a uniqu $table_prefix = 'prfx_'; // Only numbers, letters, and underscores please! ?>

Closet is a logical, referring to some location on the system that is inaccesable from the webserver (there is no mapping so the server will not be able to connect to it):

$ DEFINE/SYSTEM CLOSET SECDISK:[SECURED]

and have the directory W:E protection, and all files W:R.

Now the blog is normally accessable, and the sensitive data is hidden for the world.

Another FTP script
They come and go. There has been another attempt to access Diana as if it were a Windows or Linux box:

%%%%%%%%%%% OPCOM 10-OCT-2007 22:56:22.43 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: s12.mgw-servers.de
Status: NOPRIV -- File access violation
Object: WEB_DISK2:[public.anonymous.071010235608p]

It took less than a minute.
The script starts with creating a directory – whci, of course, fails:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from s12.mgw-servers.de at 10-OCT-2007 22:56:21.45
%TCPIP-I-FTP_NODE, client host name: s12.mgw-servers.de
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.071010235608p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0000D: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: s12.mgw-servers.de

and next, a larger list of directories is accessed:

%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /public_html/
%TCPIP-I-FTP_OBJ, object: /public_ftp/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /tagged/
%TCPIP-I-FTP_OBJ, object: / /
%TCPIP-I-FTP_OBJ, object: /%/
%TCPIP-I-FTP_OBJ, object: /data/
%TCPIP-I-FTP_OBJ, object: /inetpub/
%TCPIP-I-FTP_OBJ, object: /Tagged/
%TCPIP-I-FTP_OBJ, object: /TaGGeD/
%TCPIP-I-FTP_OBJ, object: /income/
%TCPIP-I-FTP_OBJ, object: /recieved/
%TCPIP-I-FTP_OBJ, object: /download/
%TCPIP-I-FTP_OBJ, object: /My Shared Folder/
%TCPIP-I-FTP_OBJ, object: /_kurdt/
%TCPIP-I-FTP_OBJ, object: /.htaccess/
%TCPIP-I-FTP_OBJ, object: /.private/
%TCPIP-I-FTP_OBJ, object: /~tmp/
%TCPIP-I-FTP_OBJ, object: /~temp/
%TCPIP-I-FTP_OBJ, object: /html/
%TCPIP-I-FTP_OBJ, object: /www/
%TCPIP-I-FTP_OBJ, object: /web/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_txt/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_log/
%TCPIP-I-FTP_OBJ, object: /anonymous/outgoing/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /_vti_cfg/
%TCPIP-I-FTP_OBJ, object: /site/
%TCPIP-I-FTP_OBJ, object: /page/
%TCPIP-I-FTP_OBJ, object: /ftp/
%TCPIP-I-FTP_OBJ, object: /new/
%TCPIP-I-FTP_OBJ, object: /root/
%TCPIP-I-FTP_OBJ, object: /stuff/
%TCPIP-I-FTP_OBJ, object: /dir/
%TCPIP-I-FTP_OBJ, object: /dirs/
%TCPIP-I-FTP_OBJ, object: /pass/
%TCPIP-I-FTP_OBJ, object: /log/
%TCPIP-I-FTP_OBJ, object: /folder/
%TCPIP-I-FTP_OBJ, object: /recycler/
%TCPIP-I-FTP_OBJ, object: /sql/
%TCPIP-I-FTP_OBJ, object: /MS_OFFICE2K/
%TCPIP-I-FTP_OBJ, object: /Printer Drivers/
%TCPIP-I-FTP_OBJ, object: /ww/
%TCPIP-I-FTP_OBJ, object: /webctrlsamp/
%TCPIP-I-FTP_OBJ, object: /web/
%TCPIP-I-FTP_OBJ, object: /bin/
%TCPIP-I-FTP_OBJ, object: /OFFICE/
%TCPIP-I-FTP_OBJ, object: /bilder/
%TCPIP-I-FTP_OBJ, object: /admin/
%TCPIP-I-FTP_OBJ, object: /file/
%TCPIP-I-FTP_OBJ, object: /img/
%TCPIP-I-FTP_OBJ, object: /logging/
%TCPIP-I-FTP_OBJ, object: /website/
%TCPIP-I-FTP_OBJ, object: /site/
%TCPIP-I-FTP_OBJ, object: /inetpub/wwwroot/
%TCPIP-I-FTP_OBJ, object: /inetpub/www/
%TCPIP-I-FTP_OBJ, object: /wwwroot/www/
%TCPIP-I-FTP_OBJ, object: /dump/
%TCPIP-I-FTP_OBJ, object: /de/
%TCPIP-I-FTP_OBJ, object: /sitedump/
%TCPIP-I-FTP_OBJ, object: /archives/
%TCPIP-I-FTP_OBJ, object: /WUTemp/
%TCPIP-I-FTP_OBJ, object: /win.asp/
%TCPIP-I-FTP_OBJ, object: /inetpub/
%TCPIP-I-FTP_OBJ, object: /en/
%TCPIP-I-FTP_OBJ, object: /lang/
%TCPIP-I-FTP_OBJ, object: /language/
%TCPIP-I-FTP_OBJ, object: /WinNT/
%TCPIP-I-FTP_OBJ, object: /WINDOWS/

All fail because of ” invalid directory syntax”
It might be that the script tries to PUSH data onto the system, not GET. The log does not mention it.
I tried the source. This seems to be a start-up company, stating to be (translated from German) “A company of today with the technology and know-how of tomorrow”. Their website isn’t ready yet.
Nor is their security.
If this is tomorrow’s technology and know-how, I have no confidence in it. My quite basic, 30-year old OpenVMS installation does a much better job without the fancy stuff.

I have signalled the attempt to them. Wait and seen what comes out of it.
UPDATE
I got a message stating it should be sent to their ABUSE address, so I did. From there, I got the message the message was forwarded to their customer. It might be genuine but what if that customer caused the problems?