SYSMGR

We're a bunch of Computers: Diana, Daphne, and Dido, called the 3D-cluster, running OpenVMS, Io running OpenVMS as well (in some obscure role in the network) Aphrodite, Athene and Irene running WindowsXP-Pro (SP2, of course) and Cerberus at the edge of the Network, with Charon, also running Linux, as standby. SYSMGR takes care of us.

Tuesday, September 27

27-Sep-2005

Some never learn....
Again, someone thinks I wouldn't see break-in attempts.

Extract from operator.log:


%%%%%%%%%%% OPCOM 25-SEP-2005 08:15:20.81 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: klik18.klik.bydgoszcz.pl
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.050925095019p]

I've seen this kid before....
Log of anonymous FTP shows this attempt:

25-SEP-2005 08:15:19.46 User:anonymous logged in ident:Fgpuser@home.com from Host:klik18.klik.bydgoszcz.pl
25-SEP-2005 08:15:20.54 User:anonymous ident:Fgpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
25-SEP-2005 08:15:27.07 User:anonymous ident:Fgpuser@home.com logged out


FTP log shows the details:
he logs in:


%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from
klik18.klik.bydgoszcz.pl at 25-SEP-2005 08:15:18.79

%TCPIP-I-FTP_NODE, client host name: klik18.klik.bydgoszcz.pl
%TCPIP-I-FTP_USER, user name: anonymous

and tries to create a directory - which doesn't succeed of course: the directory is read-only and the user has just the normal privileges:


%TCPIP-I-FTP_OBJ, object:
WEB_DISK:[public.anonymous.050925095019p]

%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00001: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection
violation



Next he tries to access non-existing directories. Any fails with:
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00001: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format


It looks like Windows (IIS) directories:
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_cfg/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /public_html/
TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /web/
%TCPIP-I-FTP_OBJ, object: /www/
%TCPIP-I-FTP_OBJ, object: /html/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /~temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /~tmp/
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/

and finally, logs out:


%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from klik18.klik.bydgoszcz.pl at 25-SEP-2005 08:15:27.22

9 seconds running the whole exercise Must be a script. Ok, this might mean that person obviously doesn't know what it's all about or is too dumb to understand anything on computing.
The ISP site ( http://www.bydgoszcz.pl ) is all in Polish and I doubt they would understand English - I have contacted them before and if they use fixed addressing, they should be able to keep this script-kiddy off the internet....
Or are they too ignorant?

2 Comments:

Anonymous Anonymous said...

the vti directories are related to FrontPage

27 September, 2005 15:17  
Blogger SYSMGR said...

I know. And it's present on ANY PC that has IIS installed, or PWS (Personal WebServer - a lightweight version of IIS). I wonder how many sites using IIS actually KNOW how insuecure that system is...

28 September, 2005 07:15  

Post a Comment

<< Home