[NTLUG:Discuss] FTP Server Activity...
JR Newsletters
jrnewsletters at jcrcomputing.com
Wed Jul 24 14:50:08 CDT 2002
Hi,
I'm just wondering if any of you running FTP sites are seeing the type
of activity that is shown in my FTP logs (paranoid.log from ProFTPD):
lns08a-7-201.w.club-internet.fr UNKNOWN nobody [22/Jul/2002:06:01:47
-0500] "USER anonymous" 331 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:50 -0500]
"PASS Ngpuser at home.com" 230 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:50 -0500]
"CWD /pub/" 250 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:50 -0500]
"MKD 020722115855p" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:50 -0500]
"CWD /public/incoming/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:51 -0500]
"CWD /incoming/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:51 -0500]
"CWD /pub/incoming/" 250 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:51 -0500]
"MKD 020722115856p" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:51 -0500]
"CWD /upload/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:52 -0500]
"CWD /in/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:52 -0500]
"CWD /" 250 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:52 -0500]
"MKD 020722115857p" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:52 -0500]
"CWD /_vti_pvt/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:53 -0500]
"CWD /_vti_txt/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:53 -0500]
"CWD /_vti_log/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:53 -0500]
"CWD /wwwroot/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:53 -0500]
"CWD /anonymous/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:53 -0500]
"CWD /public/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:54 -0500]
"CWD /outgoing/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:54 -0500]
"CWD /temp/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:54 -0500]
"CWD /tmp/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:54 -0500]
"CWD /anonymous/_vti_pvt/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:55 -0500]
"CWD /anonymous/incoming/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:55 -0500]
"CWD /mailroot/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:55 -0500]
"CWD /ftproot/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:55 -0500]
"CWD /anonymous/pub/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:56 -0500]
"CWD /_vti_cnf/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:56 -0500]
"CWD /images/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:56 -0500]
"CWD /_private/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:56 -0500]
"CWD /cgi-bin/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:57 -0500]
"CWD /cgibin/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:57 -0500]
"CWD /usr/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:57 -0500]
"CWD /usr/incoming/" 550 -
lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:57 -0500]
"CWD /home/" 550 -
So far I've been seeing this activity from verizon.net, and also from
some French, Belgium, and German ISP accounts. The interesting thing is
the anonymous password is always Xgpuser at home.com where the X changes to
different letters from different accounts. So far, I've sent abuse
reports to these ISPs whose accounts have been used, but I think it is a
losing battle. Thank goodness I'm running ProFTPD and it has been
forbiding these accounts from logging in anonymously when added to my
deny list, and it has done a very gone job keeping Users in only those
directories set up for anonymous users, as well as preventing them from
creating any new directories on the hard disk. I've also occasionally
fielding bounce attacks which ProFTPD has also been preventing (Bounce
attacks are people trying to download files from other FTP sites via my
ftp site).
So, has anybody else seen this type of activity (This sure looks like a
cracker running a universal script to allocate a hidden warez site)? Any
other suggestions as to what else I can do to prevent this (other than
putting these sites in my deny list and contacting the ISPs)?
Thanks.
PS: Yes, I am deliberately running an Anonymous FTP site.
More information about the Discuss
mailing list