Security – Page 8 – SYSMGR in the attic

30-Aug-200730-Aug-2007

FTP and web abuse attempts.

FTP attempts
I walked the FTP logs for a change – it’s very quiet and I don’t bother too much about script kiddies – the vast majority of the attampts are from scripts, and most of them rely on either badly configured Windows systems running the low-end version of IIS (or using Frontpage), and Linux boxes. Like this one a week ago:

In operator.log the attempt to create a directory showed up:

%%%%%%%%%%% OPCOM 20-AUG-2007 21:58:11.02 %%%%%%%%%%% Message from user TCPIP$FTP on DIANA User Name: anonymous Source: M2147P027.adsl.highway.telekom.at Status: NOPRIV -- File access violation Object: WEB_DISK2:[public.anonymous.070820225850p]

Anonymous_ftp.log shows his login and just a few lines – not all:

20-AUG-2007 21:58:09.46 User:anonymous logged in ident:Jgpuser@home.com from Host:M2147P027.adsl.highway.telekom.at 20-AUG-2007 21:58:10.91 User:anonymous ident:Jgpuser@home.com status:00010001 CWD dir:WEB_DISK2:[public.anonymous] 20-AUG-2007 21:58:12.30 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]tagged 20-AUG-2007 21:58:12.38 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]Tagged 20-AUG-2007 21:58:12.45 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]TaGGeD 20-AUG-2007 21:58:12.52 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]data 20-AUG-2007 21:58:12.58 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]Data 20-AUG-2007 21:58:12.66 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]^% 20-AUG-2007 21:58:12.72 User:anonymous ident:Jgpuser@home.com logged out

3 seconds – according this log, and one that is seen more often. The full FTP_run.log shows the script tried Windows and Linus default locations – and the failed attempt to create a directory, before the above were tried:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from M2147P027.adsl.highway.telekom.at at 20-AUG-2007 21:58:09.08 %TCPIP-I-FTP_NODE, client host name: M2147P027.adsl.highway.telekom.at %TCPIP-I-FTP_USER, user name: anonymous %TCPIP-I-FTP_OBJ, object: /pub/ %TCPIP-I-FTP_OBJ, object: /public/incoming/ %TCPIP-I-FTP_OBJ, object: /pub/incoming/ %TCPIP-I-FTP_OBJ, object: /incoming/ %TCPIP-I-FTP_OBJ, object: /upload/ %TCPIP-I-FTP_OBJ, object: /_vti_pvt/ %TCPIP-I-FTP_OBJ, object: /_vti_txt/ %TCPIP-I-FTP_OBJ, object: /_vti_log/ %TCPIP-I-FTP_OBJ, object: /wwwroot/ %TCPIP-I-FTP_OBJ, object: /anonymous/ %TCPIP-I-FTP_OBJ, object: /public/

next, the attempt to create the directory:

%TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.070820225850p] %TCPIP-I-FTP_CHINFO, TCPIP$FTPC000EE: Failed to create directory %SYSTEM-F-NOPRIV, insufficient privilege or object protection violation %TCPIP-I-FTP_NODE, client host name: M2147P027.adsl.highway.telekom.at %TCPIP-I-FTP_USER, user name: anonymous

which is signalled in OPERATOR.LOG. It goes on: accessing non-existing directories (either Windows or Linux based):

%TCPIP-I-FTP_OBJ, object: /outgoing/ %TCPIP-I-FTP_OBJ, object: /temp/ %TCPIP-I-FTP_OBJ, object: /tmp/ %TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/ %TCPIP-I-FTP_OBJ, object: /anonymous/incoming/ %TCPIP-I-FTP_OBJ, object: /mailroot/ %TCPIP-I-FTP_OBJ, object: /ftproot/ %TCPIP-I-FTP_OBJ, object: /anonymous/pub/ %TCPIP-I-FTP_OBJ, object: /anonymous/public/ %TCPIP-I-FTP_OBJ, object: /_vti_cnf/ %TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/ %TCPIP-I-FTP_OBJ, object: /images/ %TCPIP-I-FTP_OBJ, object: /_private/ %TCPIP-I-FTP_OBJ, object: /cgi-bin/ %TCPIP-I-FTP_OBJ, object: /usr/ %TCPIP-I-FTP_OBJ, object: /usr/incoming/ %TCPIP-I-FTP_OBJ, object: /home/

and finally the ones signalled in anonymous_ftp.log:

%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]tagged %TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]Tagged %TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]TaGGeD %TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]data %TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]Data %TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]^% %TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from M2147P027.adsl.highway.telekom.at at 20-AUG-2007 21:58:12.75

There have been more accesses but these seemed to cut the connection:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 57.c-servers.com at 21-AUG-2007 16:29:30.44 %TCPIP-I-FTP_SESCON, FTP SERVER: session connection from unknown76.120.65.69.defenderhosting.com at 21-AUG-2007 19:55:13.88 %TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 202.62.224.90 at 23-AUG-2007 12:06:20.27 %TCPIP-I-FTP_SESCON, FTP SERVER: session connection from us1.dnsbu.com at 23-AUG-2007 16:12:06.56 %TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 69.1.239.133 at 23-AUG-2007 17:40:18.96 %TCPIP-I-FTP_SESCON, FTP SERVER: session connection from us1.dnsbu.com at 24-AUG-2007 00:03:16.19 %TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 78.129.138.101 at 25-AUG-2007 15:08:13.28

The weblog shows it’s finally realised that overrun attempts will surely fail. That FORUM has been disabled shows up in the log: last week gave just one attempt to push a fake registration directly, and one address tried twice – 3 times at a row – to do so by querying the site, and gave up:

219.207.8.140 - - [21/Aug/2007:01:10:03 +0100] "GET http://www.grootersnet.nl/forums/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 403 864 ... 66.232.125.138 - - [21/Aug/2007:01:10:29 +0100] "GET http://www.grootersnet.nl/ HTTP/1.0" 403 864 66.232.125.138 - - [21/Aug/2007:01:10:30 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748 66.232.125.138 - - [21/Aug/2007:01:10:31 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748 66.232.125.138 - - [21/Aug/2007:01:10:31 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748 ... 66.232.125.138 - - [22/Aug/2007:02:10:56 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748 66.232.125.138 - - [22/Aug/2007:02:10:57 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748 66.232.125.138 - - [22/Aug/2007:02:10:58 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748

There have also been some other attempts I’ve seen before:

193.195.42.197 - - [25/Aug/2007:00:40:33 +0100] "GET /%20+%20/ HTTP/1.0" 404 868 85.17.181.227 - - [25/Aug/2007:06:45:35 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 893 85.17.181.227 - - [25/Aug/2007:06:46:43 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 893 62.193.242.99 - - [25/Aug/2007:15:55:18 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 893

The errors (4xx) show these all failed. Of course.

I want to make some fun: I’m thinking of creating a file Docroot:[w00tw00t.at.ISC.SANS.DFind]Ãndex.html” or redirect that location to “Noservice”.
See what happens…

26-Aug-200726-Aug-2007

Another job offer

I received another job offer today. The same one as two days ago – from a different sender, for the same company and another link.

The new header runs:

Return-Path: akstcxylbmnsdgs@xylb.com Received: from 87-205-210-108.adsl.inetia.pl (87.205.210.108) by xxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha); Fri, 24 Aug 2007 23:14:43 +0100 (CET) Return-Path: <akstcxylbmnsdgs @xylb.com> Received: from 218.66.102.106 (HELO mail.xylb.com) by grootersnet.nl with esmtp (?< ?*A+.7,/0 >)(7) id S.DCAR-TAHH0N-+) for willem@grootersnet.nl; Fri, 24 Aug 2007 21:15:33 -0100 Message-ID: <01c7e693$e85df080$6c822ecf@akstcxylbmnsdgs> From: "Enid Mullen" </akstcxylbmnsdgs>l<akstcxylbmnsdgs @xylb.com> To: (me) Subject: job for you Date: Fri, 24 Aug 2007 21:15:33 -0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-2"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.2663 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663</willem></akstcxylbmnsdgs>

So the sender – or relay – is Polish. Or it’s a zombie.
The message-ID is bogus (I didn’t even bother checking), so it the return address. Don’t try explaining a user “akstcxylbmnsdgs” would actually exist. I don’t think theer is such a user on XYLB.COM.
However: XYLB.COM does exist (and is valid) otherwise it wouldn’t get so far anyway.

Did the previous sender use MSN, this one seems to use good old Outlook Express. Hardly a professional method, I’d say.

If you follow the link you’ll end up on JSB Register – like the previous job offer – but the link is different:

http://58.65.239.116/zaka/
and in the page, the hiodden data is:

<input type="hidden" name="icq" value="zaka">

23-Aug-200723-Aug-2007

Job offer

Another way to get control.
Mohammad@northwest.edu (unsure wether this is genuine but I have my doubts)
sent me a mail:

HELLO.

We would like to offer you a job in the JBS REGISTER Company.

We have many vacant positions, and we can grant you perfect and very profitable job.

MINIMAL MONTHLY INCOME: 1500 EURO (2-4 hours of your time is required)

The job is processing of money orders of our clients.

You should have several hours a day for execution of our orders.

EACH CANDIDATE GETS A JOB IN OUR COMPANY.

Please, fill the questionnaire, and in 24 hours you will receive instructions and documents (contract) for beginning of the work.

http://58.65.239.116/buri/

THANK YOU VERY MUCH.

Of course, the first thing to check is the header;

Return-Path: Mohammad@northwestern.edu Received: from dsl-189-130-158-237.prod-infinitum.com.mx (189.130.158.237) by xxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha); Thu, 23 Aug 2007 03:06:23 +0100 (CET) Message-ID: <E9E15B67.6162678@northwestern.edu> Date: Thu, 23 Aug 2007 20:05:31 +0200 From: Mohammad <Mohammad@northwestern.edu> User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: (me) Subject: job offer Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 8bit

Mail exchange ? dsl-189-130-158-237.prod-infinitum.com.mx (189.130.158.237) doesn’t seem something from an educational institute….The address does not refer to a domain, it seems. Prod-Infinitum.com resides in the US, and has another address. It’s a hack,it seems. com.mx doesn’t translate to an address either but gave som Spanish comments:
Meta Keywords: diseÃ±ador, grÃ¡fico, freelance, diseÃ±o, web, site, sitio, paginas, Internet, animacion, flash, multimedia, mexico, MÃ©xico, Meta Description: Portafolios en lÃnea del DiseÃ±ador GrÃ¡fico Luis Francisco Reyes Aceves
The website (www.com.mx) seems to exist but you have no access.

Northwest.edu has nothing to do with this either. I bet there isn’t even a “Mohammad” user registered:
nslookup northwest.edu Server: nlutrdc03.nl.hr.group Address: 172.21.206.1

Name: northwest.edu
This is an university in the Northwest of Ohio.

JSB Register seems to be a known company – Google gave the same IP address. The link in this message leads to aserver in Hong Kong, accoring the address.
If you follow the link, you get:

This is the result of a PHP script – or, when filled, it is send to an PHP application:

<FORM action=form.php method=POST>

But that is the compnay entry page. If you use the link in the message, the outcome in the browser is exactly the same, but when displaying the source, there is a difference at the end of the message: there is a hidden INPUT item, and that makes it suspicious:
The page linked from Google states:
<input type="hidden" name="icq" value="orig">
and the link from the message states:
<input type="hidden" name="icq" value="buri">

It might be genuine but I have my doubts. I guess their server is hacked….

What would be the outcome if you DID subscribe? Some malware planted on your PC, I assume.

22-Aug-200724-Aug-2007

Paypal again

Another one as if from Paypal

if displayed in HTML format – as it is received in Outlook (or Outlook Express, as most innocent users would).

No name – so bogus. Look at the date: 28-Aug-2007, which is two weeks ahead. It might indeed be the date when your account will be abused IF you react on this message.

If you look to the raw data, it’s not that obvious in first glance because the names seem to match:

Return-Path: service@paypal.com Received: from cpe-71-65-23-167.twmi.res.rr.com (71.65.23.167) by xxxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha); Tue, 21 Aug 2007 18:56:32 +0100 (CET) Received: from 208.188.111.32 by ; Tue, 21 Aug 2007 18:57:49 +0100 Message-ID: <qtprxvpwrckqwbprqtl @msn.com> From: "PayPal" <service@paypal.com> Reply-To: "PayPal" <service@paypal.com> To: (me) Subject: Restore your account access Date: Tue, 21 Aug 2007 10:54:49 -0700 X-Mailer: AOL 7.0 for Windows US sub 118 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--2194093895003147" X-Priority: 1 X-MSMail-Priority: High

However, what about:

X-Mailer: AOL 7.0 for Windows US sub 118

That is America OnLine – an ISP – and I’m pretty sure Paypal has it’s own servers, and won’t use a broadband- or dial-in service from one of the biigest ISP’s in the world.
The sender address from where I got the message is RR.COM – RoadRunner, an ISP located in the US. Not really payPal…

Nor would Paypal use MSN for sending a message:

Message-ID: <qtprxvpwrckqwbprqtl @msn.com> X-MSMail-Priority: High

Looking into the message, the pain is in the central link:

<table width=3D"100%" cellpadding=3D"4" cellspacing=3D"0" border=3D"0" bgc= olor=3D"#FFFECD" align=3D"center"> <tr><td class=3D"pp_sansserif" align=3D"center"> <a href=3D"http://centrala.junis.ni.ac.yu/.../.paypal/.confirm/index.htm" title=3D"Please click here to restore your account access"> Please click here to restore your account access</a> </td></tr></table>

And there are some links at the bottom that do not show up – because it’s behind the </html> tag:

<script


language=3D"JavaScript" src=3D"http://hostingprod.com/js_source/geov2.js">=

</script><script language=3D"javascript">geovisit
();</script><noscript><img src=3D"http://visit.webhosting.yahoo.com/visit.=

gif?us1173035983" alt=3D"setstats" border=3D"0" width=3D"1"

height=3D"1"></noscript>

and that’s something you won’t find on a real Paypal message. They have their own servers and will not host on Yahoo.

I checked the node in the link: It looks like a telephone exchance:

Hacked, most likely, given the stealth location of /.../.confirm (It’s a Unix/Linux box and a dot as first character renders the file (or directory) invisible). No real wonder for a university….

I contacted the site on this.

18-Aug-200718-Aug-2007

18-Aug-2007

FTP access
has been tried several times last month, the logfiles are properly copied to the web but therew were quite a lot of much older files, with higher version numbers – and the highst number is only acecssed when specifying a file without a version number. So I never saw what happened, except for what was found in operator.log.
In the webs, there is no more path available to the anonymous FTP location since 01-aug-2007, and 31-Jul-2007 actually IS the last date Google accessed it:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from crawl-66-249-66-211.googlebot.com at 31-JUL-2007 12:06:42.55 %TCPIP-I-FTP_USER, user name: anonymous %TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from crawl-66-249-66-211.googlebot.com at 31-JUL-2007 12:06:43.26
Good.
Since that date, access is almost daily, and, in some, abusive:
01-aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from mail.infordomain.net at 1-AUG-2007 16:42:21.67
02-aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 202.47.240.101 at 2-AUG-2007 00:22:47.10 %TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 86-39-130-45.realroot.be at 2-AUG-2007 10:19:56.46 %TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 203.243.165.41 at 2-AUG-2007 13:44:57.81
03-aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 211.234.98.162 at 3-AUG-2007 16:40:06.17
04-aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from melon.cs.pusan.ac.kr at 4-AUG-2007 12:47:17.52
05-aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 209.200.85.174 at 5-AUG-2007 07:08:45.74 %TCPIP-I-FTP_NODE, client host name: 209.200.85.174 %TCPIP-I-FTP_USER, user name: anonymous %TCPIP-I-FTP_OBJ, object: /pub/ %TCPIP-I-FTP_OBJ, object: /public/ %TCPIP-I-FTP_OBJ, object: /pub/incoming/ %TCPIP-I-FTP_OBJ, object: /incoming/ %TCPIP-I-FTP_OBJ, object: /_vti_pvt/ %TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.070804230739p] %TCPIP-I-FTP_CHINFO, TCPIP$FTPC000D4: Failed to create directory %SYSTEM-F-NOPRIV, insufficient privilege or object protection violation

Of course: protection is (S:RWE,O:RWE, G:RE, W:RE)

%TCPIP-I-FTP_OBJ, object: /upload/ %TCPIP-I-FTP_OBJ, object: /images/ %TCPIP-I-FTP_OBJ, object: /~tmp/ %TCPIP-I-FTP_OBJ, object: /.tmp/ %TCPIP-I-FTP_OBJ, object: /_tmp/ %TCPIP-I-FTP_OBJ, object: /_vti_log/ %TCPIP-I-FTP_OBJ, object: /vti_test/ %TCPIP-I-FTP_OBJ, object: /_vti_script/ %TCPIP-I-FTP_OBJ, object: /scripst/ %TCPIP-I-FTP_OBJ, object: /bin/ %TCPIP-I-FTP_OBJ, object: /usr/ %TCPIP-I-FTP_OBJ, object: /c:/

Thinking this is a Windows box?? Read the site info!

%TCPIP-I-FTP_OBJ, object: / / %TCPIP-I-FTP_OBJ, object: /admin/ %TCPIP-I-FTP_OBJ, object: /admin1/ %TCPIP-I-FTP_OBJ, object: /administrator/ %TCPIP-I-FTP_OBJ, object: /administrator1/ %TCPIP-I-FTP_OBJ, object: /webmaster/ %TCPIP-I-FTP_OBJ, object: /webadmin/ %TCPIP-I-FTP_OBJ, object: /domains/ %TCPIP-I-FTP_OBJ, object: /webroot/ %TCPIP-I-FTP_OBJ, object: /domain/ %TCPIP-I-FTP_OBJ, object: /wwwroot/inetpub/ %TCPIP-I-FTP_OBJ, object: /vhost/ %TCPIP-I-FTP_OBJ, object: /vhosts/ %TCPIP-I-FTP_OBJ, object: /test/ %TCPIP-I-FTP_OBJ, object: /test1/ %TCPIP-I-FTP_OBJ, object: /backup/ %TCPIP-I-FTP_OBJ, object: /temp/ %TCPIP-I-FTP_OBJ, object: /website/ %TCPIP-I-FTP_OBJ, object: /websites/ %TCPIP-I-FTP_OBJ, object: /site/ %TCPIP-I-FTP_OBJ, object: /sites/ %TCPIP-I-FTP_OBJ, object: /www/ %TCPIP-I-FTP_OBJ, object: /wwwroot/ %TCPIP-I-FTP_OBJ, object: /htm/ %TCPIP-I-FTP_OBJ, object: /root/ %TCPIP-I-FTP_OBJ, object: /images/ %TCPIP-I-FTP_OBJ, object: /aspnet_client/ %TCPIP-I-FTP_OBJ, object: /web/ %TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from 209.200.85.174 at 5-AUG-2007 07:08:57.42
06-Aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 2.129.129.219.broad.hy.gd.dynamic.163data.com.cn at 6-AUG-2007 00:02:06.40 %TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 203.243.165.41 at 6-AUG-2007 00:39:24.55 %TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 203.243.165.41 at 6-AUG-2007 18:32:15.35 %TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 77.250.151.72 at 6-AUG-2007 23:18:24.50 %TCPIP-I-FTP_NODE, client host name: 77.250.151.72 %TCPIP-I-FTP_USER, user name: anonymous %TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.070807001834p] %TCPIP-I-FTP_CHINFO, TCPIP$FTPC000DA: Failed to create directory %SYSTEM-F-NOPRIV, insufficient privilege or object protection violation %TCPIP-I-FTP_OBJ, object: /pub/ %TCPIP-I-FTP_OBJ, object: /public/ %TCPIP-I-FTP_OBJ, object: /_vti_pvt/ %TCPIP-I-FTP_OBJ, object: /_vti_txt/ %TCPIP-I-FTP_OBJ, object: /_vti_cfg/ %TCPIP-I-FTP_OBJ, object: /_vti_log/ %TCPIP-I-FTP_OBJ, object: /_vti_cnf/ %TCPIP-I-FTP_OBJ, object: /_private/ %TCPIP-I-FTP_OBJ, object: /incoming/ %TCPIP-I-FTP_OBJ, object: /pub/incoming/ %TCPIP-I-FTP_OBJ, object: /public/incoming/ %TCPIP-I-FTP_OBJ, object: /public_html/ %TCPIP-I-FTP_OBJ, object: /upload/ %TCPIP-I-FTP_OBJ, object: /wwwroot/ %TCPIP-I-FTP_OBJ, object: /mailroot/ %TCPIP-I-FTP_OBJ, object: /ftproot/ %TCPIP-I-FTP_OBJ, object: /home/ %TCPIP-I-FTP_OBJ, object: /images/ %TCPIP-I-FTP_OBJ, object: /web/ %TCPIP-I-FTP_OBJ, object: /www/ %TCPIP-I-FTP_OBJ, object: /html/ %TCPIP-I-FTP_OBJ, object: /cgi-bin/ %TCPIP-I-FTP_OBJ, object: /usr/ %TCPIP-I-FTP_OBJ, object: /usr/incoming/ %TCPIP-I-FTP_OBJ, object: /temp/ %TCPIP-I-FTP_OBJ, object: /~temp/ %TCPIP-I-FTP_OBJ, object: /tmp/ %TCPIP-I-FTP_OBJ, object: /~tmp/ %TCPIP-I-FTP_OBJ, object: /outgoing/ %TCPIP-I-FTP_OBJ, object: /anonymous/ %TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/ %TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/ %TCPIP-I-FTP_OBJ, object: /anonymous/incoming/ %TCPIP-I-FTP_OBJ, object: /anonymous/pub/ %TCPIP-I-FTP_OBJ, object: /anonymous/public/ %TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from 77.250.151.72 at 6-AUG-2007 23:18:47.55
07-Aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 218.25.11.172 at 7-AUG-2007 15:27:41.65
08-Aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from mail.infordomain.net at 8-AUG-2007 18:02:17.46
09-Aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from mail.infordomain.net at 9-AUG-2007 12:47:41.48
11-Aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 203.243.165.41 at 11-AUG-2007 13:39:51.04
12-Aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from leopard.icescreen.net at 12-AUG-2007 12:58:21.08
13-Aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 78.129.138.101 at 13-AUG-2007 22:07:46.14
15-Aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 78.129.138.101 at 15-AUG-2007 15:21:28.56
16-Aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from ns38828.ovh.net at 16-AUG-2007 13:02:24.36 %TCPIP-I-FTP_SESCON, FTP SERVER: session connection from dslb-088-065-218-138.pools.arcor-ip.net at 16-AUG 2007 17:56:57.23 %TCPIP-I-FTP_NODE, client host name: dslb-088-065-218-138.pools.arcor-ip.net %TCPIP-I-FTP_USER, user name: anonymous %TCPIP-I-FTP_OBJ, object: /pub/ %TCPIP-I-FTP_OBJ, object: /public/ %TCPIP-I-FTP_OBJ, object: /pub/incoming/ %TCPIP-I-FTP_OBJ, object: /incoming/ %TCPIP-I-FTP_OBJ, object: /_vti_pvt/ %TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.070816185627p] %TCPIP-I-FTP_CHINFO, TCPIP$FTPC000E3: Failed to create directory %SYSTEM-F-NOPRIV, insufficient privilege or object protection violation %TCPIP-I-FTP_OBJ, object: /upload/ %TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from dslb-088-065-218-138.pools.arcor-ip.net at 16-AUG-2007 17:56:58.38
17-Aug-2007
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from gateway.ezbroadnet.com at 17-AUG-2007 04:43:04.44 %TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 78.129.138.101 at 17-AUG-2007 14:07:21.83 %TCPIP-I-FTP_SESCON, FTP SERVER: session connection from ns38828.ovh.net at 17-AUG-2007 20:25:06.14 %TCPIP-I-FTP_NODE, client host name: ns38828.ovh.net %TCPIP-I-FTP_USER, user name: anonymous %TCPIP-I-FTP_OBJ, object: /pub/ %TCPIP-I-FTP_OBJ, object: /public/ %TCPIP-I-FTP_OBJ, object: /pub/incoming/ %TCPIP-I-FTP_OBJ, object: /incoming/ %TCPIP-I-FTP_OBJ, object: /_vti_pvt/ %TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.070817212529p] %TCPIP-I-FTP_CHINFO, TCPIP$FTPC000E6: Failed to create directory %SYSTEM-F-NOPRIV, insufficient privilege or object protection violation %TCPIP-I-FTP_OBJ, object: /upload/ %TCPIP-I-FTP_OBJ, object: /download/ %TCPIP-I-FTP_OBJ, object: /access/ %TCPIP-I-FTP_OBJ, object: /admin/ %TCPIP-I-FTP_OBJ, object: /administrator/ %TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from ns38828.ovh.net at 17-AUG-2007 20:25:07.21

Concised, that is, because I removed all obvious lines:
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC000E6: Failed to set default directory %SYSTEM-W-BADIRECTORY, bad directory file format %TCPIP-I-FTP_NODE, client host name: (nodename) %TCPIP-I-FTP_USER, user name: anonymous
and that saves a LOT of space…

April 2024
M	T	W	T	F	S	S
« Nov
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30