[NTLUG:Discuss] FTP Server Activity...

Wed Jul 24 14:50:08 CDT 2002

Hi,

I'm just wondering if any of you running FTP sites are seeing the type 
of activity that is shown in my FTP logs (paranoid.log from ProFTPD):

lns08a-7-201.w.club-internet.fr UNKNOWN nobody [22/Jul/2002:06:01:47 
-0500] "USER anonymous" 331 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:50 -0500] 
"PASS Ngpuser at home.com" 230 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:50 -0500] 
"CWD /pub/" 250 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:50 -0500] 
"MKD 020722115855p" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:50 -0500] 
"CWD /public/incoming/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:51 -0500] 
"CWD /incoming/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:51 -0500] 
"CWD /pub/incoming/" 250 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:51 -0500] 
"MKD 020722115856p" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:51 -0500] 
"CWD /upload/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:52 -0500] 
"CWD /in/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:52 -0500] 
"CWD /" 250 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:52 -0500] 
"MKD 020722115857p" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:52 -0500] 
"CWD /_vti_pvt/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:53 -0500] 
"CWD /_vti_txt/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:53 -0500] 
"CWD /_vti_log/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:53 -0500] 
"CWD /wwwroot/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:53 -0500] 
"CWD /anonymous/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:53 -0500] 
"CWD /public/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:54 -0500] 
"CWD /outgoing/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:54 -0500] 
"CWD /temp/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:54 -0500] 
"CWD /tmp/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:54 -0500] 
"CWD /anonymous/_vti_pvt/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:55 -0500] 
"CWD /anonymous/incoming/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:55 -0500] 
"CWD /mailroot/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:55 -0500] 
"CWD /ftproot/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:55 -0500] 
"CWD /anonymous/pub/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:56 -0500] 
"CWD /_vti_cnf/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:56 -0500] 
"CWD /images/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:56 -0500] 
"CWD /_private/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:56 -0500] 
"CWD /cgi-bin/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:57 -0500] 
"CWD /cgibin/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:57 -0500] 
"CWD /usr/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:57 -0500] 
"CWD /usr/incoming/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:57 -0500] 
"CWD /home/" 550 -

So far I've been seeing this activity from verizon.net, and also from 
some French, Belgium, and German ISP accounts.  The interesting thing is 
the anonymous password is always Xgpuser at home.com where the X changes to 
different letters from different accounts.  So far, I've sent abuse 
reports to these ISPs whose accounts have been used, but I think it is a 
losing battle.  Thank goodness I'm running ProFTPD and it has been 
forbiding these accounts from logging in anonymously when added to my 
deny list, and it has done a very gone job keeping Users in only those 
directories set up for anonymous users, as well as preventing them from 
creating any new directories on the hard disk.  I've also occasionally 
fielding bounce attacks which ProFTPD has also been preventing (Bounce 
attacks are people trying to download files from other FTP sites via my 
ftp site).

So, has anybody else seen this type of activity (This sure looks like a 
cracker running a universal script to allocate a hidden warez site)? Any 
other suggestions as to what else I can do to prevent this (other than 
putting these sites in my deny list and contacting the ISPs)?

Thanks.

PS:  Yes, I am deliberately running an Anonymous FTP site.