attempted break-in?
hello:
i am curious if anyone else is seeing an attempt by a user anonymous with a
password of guest@hello.com to ftp into their system. i found the following
snippits in the message log this morning. it sent up a red flag for me. i've
immediately blocked access for ftp not originating from the internal lan.
the particular alarming part is the repetition of the command sequence used
and the funky directory name that the attack attempted to create. i've
emailed a message to postmaster@sympatico.ca and domains@aol.com
domains@aol.com has replied via automated reply.
-------------- /var/log/messages ------------
Aug 2 21:32:19 mesozoic ftpd[18304]: USER anonymous
Aug 2 21:32:20 mesozoic ftpd[18304]: PASS guest@here.com
Aug 2 21:32:20 mesozoic ftpd[18304]: ANONYMOUS FTP LOGIN FROM
HSE-Sherbrooke-ppp79981.qc.sympatico.ca [64.229.254.170], guest@here.com
Aug 2 21:32:20 mesozoic ftpd[18304]: CWD /pub/
Aug 2 21:32:21 mesozoic ftpd[18304]: MKD 010804003731p
Aug 2 21:32:21 mesozoic ftpd[18304]: anonymous(guest@here.com) of
HSE-Sherbrooke-ppp79981.qc.sympatico.ca [64.229.254.170] tried to create
directory /var/ftp/pub/010804003731p
Aug 2 21:32:21 mesozoic ftpd[18304]: CWD /public/
Aug 2 21:32:22 mesozoic ftpd[18304]: CWD /pub/incoming/
Aug 2 21:32:22 mesozoic ftpd[18304]: CWD /incoming/
Aug 2 21:32:22 mesozoic ftpd[18304]: CWD /_vti_pvt/
Aug 2 21:32:23 mesozoic ftpd[18304]: CWD /
Aug 2 21:32:23 mesozoic ftpd[18304]: MKD 010804003733p
Aug 2 21:32:23 mesozoic ftpd[18304]: anonymous(guest@here.com) of
HSE-Sherbrooke-ppp79981.qc.sympatico.ca [64.229.254.170] tried to create
directory /var/ftp/010804003733p
Aug 2 21:32:23 mesozoic ftpd[18304]: CWD /upload/
Aug 2 21:32:23 mesozoic ftpd[18304]: lost connection to
HSE-Sherbrooke-ppp79981.qc.sympatico.ca [64.229.254.170]
Aug 2 21:32:23 mesozoic ftpd[18304]: FTP session closed
Aug 3 14:29:02 mesozoic ftpd[26656]: USER anonymous
Aug 3 14:29:03 mesozoic ftpd[26656]: PASS guest@here.com
Aug 3 14:29:03 mesozoic ftpd[26656]: ANONYMOUS FTP LOGIN FROM
ACB0A998.ipt.aol.com [172.176.169.152], guest@here.com
Aug 3 14:29:03 mesozoic ftpd[26656]: CWD /pub/
Aug 3 14:29:04 mesozoic ftpd[26656]: MKD 010803233322p
Aug 3 14:29:04 mesozoic ftpd[26656]: anonymous(guest@here.com) of
ACB0A998.ipt.aol.com [172.176.169.152] tried to create directory
/var/ftp/pub/010803233322p
Aug 3 14:29:04 mesozoic ftpd[26656]: CWD /public/
Aug 3 14:29:05 mesozoic ftpd[26656]: CWD /pub/incoming/
Aug 3 14:29:05 mesozoic ftpd[26656]: CWD /incoming/
Aug 3 14:29:06 mesozoic ftpd[26656]: CWD /_vti_pvt/
Aug 3 14:29:06 mesozoic ftpd[26656]: CWD /
Aug 3 14:29:06 mesozoic ftpd[26656]: MKD 010803233324p
Aug 3 14:29:06 mesozoic ftpd[26656]: anonymous(guest@here.com) of
ACB0A998.ipt.aol.com [172.176.169.152] tried to create directory
/var/ftp/010803233324p
Aug 3 14:29:07 mesozoic ftpd[26656]: CWD /upload/
Aug 3 14:29:07 mesozoic ftpd[26656]: FTP session closed
Aug 3 14:30:00 mesozoic CROND[26658]: (root) CMD ( /sbin/rmmod -as)
Aug 4 07:15:37 mesozoic ftpd[30934]: USER anonymous
Aug 4 07:15:38 mesozoic ftpd[30934]: PASS guest@here.com
Aug 4 07:15:38 mesozoic ftpd[30934]: ANONYMOUS FTP LOGIN FROM 199.44.93.188
[199.44.93.188], guest@here.com
Aug 4 07:15:38 mesozoic ftpd[30934]: CWD /pub/
Aug 4 07:15:38 mesozoic ftpd[30934]: MKD 010804102033p
Aug 4 07:15:38 mesozoic ftpd[30934]: anonymous(guest@here.com) of
199.44.93.188 [199.44.93.188] tried to create directory
/var/ftp/pub/010804102033p
Aug 4 07:15:39 mesozoic ftpd[30934]: CWD /public/
Aug 4 07:15:39 mesozoic ftpd[30934]: CWD /pub/incoming/
Aug 4 07:15:39 mesozoic ftpd[30934]: CWD /incoming/
Aug 4 07:15:39 mesozoic ftpd[30934]: CWD /_vti_pvt/
Aug 4 07:15:39 mesozoic ftpd[30934]: CWD /
Aug 4 07:15:40 mesozoic ftpd[30934]: MKD 010804102034p
Aug 4 07:15:40 mesozoic ftpd[30934]: anonymous(guest@here.com) of
199.44.93.188 [199.44.93.188] tried to create directory /var/ftp/010804102034p
Aug 4 07:15:40 mesozoic ftpd[30934]: CWD /upload/
Aug 4 07:15:40 mesozoic ftpd[30934]: FTP session closed
--
regards,
allen
atoka-software
Reply to: