Re: is this an attack ?
danilo lujambio <danilo@tau.org.ar> writes:
>
> 18:59:06 web wu-ftpd[10527]: connect from 200.158.144.201
> Mar 28 18:59:07 web wu-ftpd[10527]: USER anonymous
> Mar 28 18:59:07 web wu-ftpd[10527]: PASS ano@ano.com
[ etc. ]
This log indicates that someone connected as an anonymous user and
attempted to upload a 104154-byte file named "528.258" to several
directories: the anonymous user's "/bin", "/lib", and "/pub". The log
doesn't show whether or not the upload attempts were successful. The
fact that they were repeated several times suggests they weren't.
I believe there's an automated tool that scans for FTP servers that
have one or more read/writable directories. It uploads this file with
random names "number.number" and tries to retrieve it again. The file
itself is harmless---it's just a test to find open directories that
can be used to trade pirated software or other files. You'll note
that nowhere in your log did the person try to *retrieve* the file
again, so it's quite likely they failed to store the file anywhere and
gave up. No harm done.
> Mar 28 19:00:02 web kernel: EXT2-fs warning: maximal mount count
> reached,
> running e2fsck is recommended
> Mar 28 19:00:02 web kernel: EXT2-fs warning: maximal mount count
> reached,
> running e2fsck is recommended
This is curious but not necessarily related. Is it possible someone
mounted (or remounted) an EXT2 filesystem at this time? Or that you
have an automounter running that might have mounted an EXT2
filesystem?
--
Kevin <buhr@telus.net>
Reply to: