[NTLUG:Discuss] FTP Server Activity...

asenec@senechalle.net asenec at senechalle.net
Wed Jul 24 15:38:12 CDT 2002 

I've seen *lots* of such activity on our servers for quite sometime now.
For example:

sun:/var/log# grep gpuser xferlog | more
Aug 28 03:56:58 sun[daemon.info] ftpd[4378]: ANONYMOUS FTP LOGIN FROM pD9E1C4B3.dip.t-dialin.net [217.225.196.179], Sgpuser at home.com
Sep 19 15:17:19 sun[daemon.info] ftpd[19885]: ANONYMOUS FTP LOGIN FROM pD951B31E.dip.t-dialin.net [217.81.179.30], Agpuser at home.com
Sep 19 15:17:19 sun[daemon.info] ftpd[19887]: ANONYMOUS FTP LOGIN FROM pD951B31E.dip.t-dialin.net [217.81.179.30], Agpuser at home.com
Sep 19 15:18:15 sun[daemon.info] ftpd[21764]: ANONYMOUS FTP LOGIN FROM pD951B31E.dip.t-dialin.net [217.81.179.30], Wgpuser at home.com
Sep 23 17:54:18 sun[daemon.info] ftpd[30475]: ANONYMOUS FTP LOGIN FROM pD954049C.dip.t-dialin.net [217.84.4.156], Zgpuser at home.com

It comes from all over the Net.

Annette

> From jrnewsletters at jcrcomputing.com Wed Jul 24 14:55:39 2002
> From: JR Newsletters <jrnewsletters at jcrcomputing.com>
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1b) Gecko/20020722
> X-Accept-Language: en-us, en
> MIME-Version: 1.0
> To: discuss at ntlug.org
> Content-Transfer-Encoding: 7bit
> Subject: [NTLUG:Discuss] FTP Server Activity...
> X-BeenThere: discuss at ntlug.org
> X-Mailman-Version: 2.0.11
> List-Help: <mailto:discuss-request at ntlug.org?subject=help>
> List-Post: <mailto:discuss at ntlug.org>
> List-Subscribe: <http://www.ntlug.org/mailman/listinfo/discuss>,
> 	<mailto:discuss-request at ntlug.org?subject=subscribe>
> List-Id: NTLUG Discussion List <discuss.ntlug.org>
> List-Unsubscribe: <http://www.ntlug.org/mailman/listinfo/discuss>,
> 	<mailto:discuss-request at ntlug.org?subject=unsubscribe>
> List-Archive: <http://www.ntlug.org/pipermail/discuss/>
> Date: Wed, 24 Jul 2002 14:50:08 -0500
> 
> Hi,
> 
> I'm just wondering if any of you running FTP sites are seeing the type 
> of activity that is shown in my FTP logs (paranoid.log from ProFTPD):
> 
> lns08a-7-201.w.club-internet.fr UNKNOWN nobody [22/Jul/2002:06:01:47 
> -0500] "USER anonymous" 331 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:50 -0500] 
> "PASS Ngpuser at home.com" 230 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:50 -0500] 
> "CWD /pub/" 250 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:50 -0500] 
> "MKD 020722115855p" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:50 -0500] 
> "CWD /public/incoming/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:51 -0500] 
> "CWD /incoming/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:51 -0500] 
> "CWD /pub/incoming/" 250 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:51 -0500] 
> "MKD 020722115856p" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:51 -0500] 
> "CWD /upload/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:52 -0500] 
> "CWD /in/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:52 -0500] 
> "CWD /" 250 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:52 -0500] 
> "MKD 020722115857p" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:52 -0500] 
> "CWD /_vti_pvt/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:53 -0500] 
> "CWD /_vti_txt/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:53 -0500] 
> "CWD /_vti_log/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:53 -0500] 
> "CWD /wwwroot/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:53 -0500] 
> "CWD /anonymous/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:53 -0500] 
> "CWD /public/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:54 -0500] 
> "CWD /outgoing/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:54 -0500] 
> "CWD /temp/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:54 -0500] 
> "CWD /tmp/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:54 -0500] 
> "CWD /anonymous/_vti_pvt/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:55 -0500] 
> "CWD /anonymous/incoming/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:55 -0500] 
> "CWD /mailroot/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:55 -0500] 
> "CWD /ftproot/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:55 -0500] 
> "CWD /anonymous/pub/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:56 -0500] 
> "CWD /_vti_cnf/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:56 -0500] 
> "CWD /images/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:56 -0500] 
> "CWD /_private/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:56 -0500] 
> "CWD /cgi-bin/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:57 -0500] 
> "CWD /cgibin/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:57 -0500] 
> "CWD /usr/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:57 -0500] 
> "CWD /usr/incoming/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:57 -0500] 
> "CWD /home/" 550 -
> 
> So far I've been seeing this activity from verizon.net, and also from 
> some French, Belgium, and German ISP accounts.  The interesting thing is 
> the anonymous password is always Xgpuser at home.com where the X changes to 
> different letters from different accounts.  So far, I've sent abuse 
> reports to these ISPs whose accounts have been used, but I think it is a 
> losing battle.  Thank goodness I'm running ProFTPD and it has been 
> forbiding these accounts from logging in anonymously when added to my 
> deny list, and it has done a very gone job keeping Users in only those 
> directories set up for anonymous users, as well as preventing them from 
> creating any new directories on the hard disk.  I've also occasionally 
> fielding bounce attacks which ProFTPD has also been preventing (Bounce 
> attacks are people trying to download files from other FTP sites via my 
> ftp site).
> 
> So, has anybody else seen this type of activity (This sure looks like a 
> cracker running a universal script to allocate a hidden warez site)? Any 
> other suggestions as to what else I can do to prevent this (other than 
> putting these sites in my deny list and contacting the ISPs)?
> 
> Thanks.
> 
> PS:  Yes, I am deliberately running an Anonymous FTP site.
> 
> 
> 
> 
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>

More information about the Discuss mailing list