SYSMGR

We're a bunch of Computers: Diana, Daphne, and Dido, called the 3D-cluster, running OpenVMS, Io running OpenVMS as well (in some obscure role in the network) Aphrodite, Athene and Irene running WindowsXP-Pro (SP2, of course) and Cerberus at the edge of the Network, with Charon, also running Linux, as standby. SYSMGR takes care of us.

Tuesday, October 25

25-Oct-2005

Security update
Checked the logfiles this week and found a number of attempts again - I guess (not yet checked) these were from script kiddies - there may have been one more serios attempt. None succeeded (of course):

13 october: Script kiddy at work:

Operator.log:
%%%%%%%%%%% OPCOM 13-OCT-2005 08:39:10.17 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: static-64-83-19-37.dsl.cavtel.net
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.051013042324p]

ftp_run.log:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from static-64-83-19-37.dsl.cavtel.net at 13-OCT-2005 08:39:08.72
%TCPIP-I-FTP_NODE, client host name: static-64-83-19-37.dsl.cavtel.net
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.051013042324p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00005: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: static-64-83-19-37.dsl.cavtel.net
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00005: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
%TCPIP-I-FTP_NODE, client host name: static-64-83-19-37.dsl.cavtel.net
%TCPIP-I-FTP_USER, user name: anonymous

same for:

%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_cfg/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /public_html/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /web/
%TCPIP-I-FTP_OBJ, object: /www/
%TCPIP-I-FTP_OBJ, object: /html/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /~temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /~tmp/
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_OBJ, object: /tagged/
%TCPIP-I-FTP_OBJ, object: /tagged.by/

Finally:

%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from static-64-83-19-37.dsl.cavtel.net at 13-OCT-2005 08:39:16.41

Indeed - an ISP: http://www.cavtel.net, will be notified.
(Notification failed on abuse@cavtel.net)
----- The following addresses had permanent fatal errors -----
ABUSE@cavtel.net
(reason: 550 Gateway: 550 This user's mailbox is full (abuse@cavtel.net) - Try again later)
----- Transcript of session follows -----
... while talking to mx-incoming.cavtel.net.:
>>> RCPT To:<abuse@cavtel.net>;
<<< <abuse@cavtel.net>... User unknown
And this mail address is on their website!

16 october: a break-in attempt via port 20 or 21 (plain FTP)
ftp_run.log

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from sipco92.sipco.fr at 16-OCT-2005 02:55:17.59
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from sipco92.sipco.fr at 16-OCT-2005 02:55:17.69
%TCPIP-E-FTP_LOGFAL, remote interactive login failure test
-TCPIP-I-FTP_NODE, client host name: sipco92.sipco.fr
-LOGIN-F-NOSUCHUSER, no such user

followed by 15 more attempts...

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from sipco92.sipco.fr at 16-OCT-2005 02:55:21.80
%TCPIP-E-FTP_LOGFAL, remote interactive login failure test
-TCPIP-I-FTP_NODE, client host name: sipco92.sipco.fr
-LOGIN-F-NOSUCHUSER, no such user

A French company (www.sipco.fr) but they can be contacted.
They have been.

18 october. This one is different:

Operator.log:
%%%%%%%%%%% OPCOM 18-OCT-2005 22:09:43.76 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: 67.90.151.213.kve.cz
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.web.temp^.5995]

%%%%%%%%%%% OPCOM 18-OCT-2005 22:09:48.37 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: 67.90.151.213.kve.cz
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.temp^.5995]

anonymous_ftp.log:

18-OCT-2005 22:09:29.71 User:anonymous logged in ident:bot@search.net from Host:67.90.151.213.kve.cz
18-OCT-2005 22:09:53.71 User:anonymous ident:bot@search.net logged out

ftp_run.log:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 67.90.151.213.kve.cz at 18-OCT-2005 22:09:28.33
%TCPIP-I-FTP_NODE, client host name: 67.90.151.213.kve.cz
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0001B: insufficient privilege or file protection violation!
%TCPIP-I-FTP_NODE, client host name: 67.90.151.213.kve.cz
%TCPIP-I-FTP_USER, user name: anonymous

Tries this a number of times:

%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -

Then tries another location:

%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.web.temp^.5995]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0001B: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: 67.90.151.213.kve.cz
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0001B: insufficient privilege or file protection violation!
%TCPIP-I-FTP_NODE, client host name: 67.90.151.213.kve.cz
%TCPIP-I-FTP_USER, user name: anonymous

and again, tries it again to get up:

%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -

and another location:

%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.temp^.5995]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0001B: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: 67.90.151.213.kve.cz
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0001B: insufficient privilege or file protection violation!
%TCPIP-I-FTP_NODE, client host name: 67.90.151.213.kve.cz
%TCPIP-I-FTP_USER, user name: anonymous

yet again, a number of attempts to browse up:

%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -

Finally gives up...

%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from 67.90.151.213.kve.cz at 18-OCT-2005 22:09:53.86

What is he trying to achieve? browsing from give points? 'Search.net' may hold a clue. Anyway, address 213.151.90.76 is now to be investigated. Or is it a proxy from kvw.cz?

21 October: The usual again
A bit different, though.

Operator.log:

%%%%%%%%%%% OPCOM 21-OCT-2005 07:29:49.17 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: BSN-77-159-9.dsl.siol.net
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.051021092357p]

anonymous_ftp.log:

21-OCT-2005 07:29:47.94 User:anonymous logged in ident:Qgpuser@home.com from Host:BSN-77-159-9.dsl.siol.net
21-OCT-2005 07:29:49.02 User:anonymous ident:Qgpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
21-OCT-2005 07:29:50.41 User:anonymous ident:Qgpuser@home.com status:000186D4 CWD dir:/c:/
21-OCT-2005 07:29:50.69 User:anonymous ident:Qgpuser@home.com logged out

How pathetic: notice he tries to access a Windows disk...

ftp_run.log:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from BSN-77-159-9.dsl.siol.net at 21-OCT-2005 07:29:47.71
%TCPIP-I-FTP_NODE, client host name: BSN-77-159-9.dsl.siol.net
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0001F: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
%TCPIP-I-FTP_NODE, client host name: BSN-77-159-9.dsl.siol.net
%TCPIP-I-FTP_USER, user name: anonymous

Now the normal sequence:

%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/

Tries another location:

%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.051021092357p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0001F: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: BSN-77-159-9.dsl.siol.net
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0001F: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
%TCPIP-I-FTP_NODE, client host name: BSN-77-159-9.dsl.siol.net
%TCPIP-I-FTP_USER, user name: anonymous

and again, the same sequence:

%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /~tmp/
%TCPIP-I-FTP_OBJ, object: /.tmp/
%TCPIP-I-FTP_OBJ, object: /_tmp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_script/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /scripts/
%TCPIP-I-FTP_OBJ, object: /bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /c:/
%TCPIP-I-FTP_OBJ, object: / /

Finally logs out - having achived nothin, just leaving his trails:

%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from BSN-77-159-9.dsl.siol.net at 21-OCT-2005 07:29:50.74

an ISP http://www.siol.net located in Slovania. Will be notified.
(Notification failed on abuse@siol.net)
----- The following addresses had permanent fatal errors -----
ABUSE@siol.si
(reason: 550 Invalid recipient: ABUSE@siol.si)
----- Transcript of session follows -----
... while talking to mailhub.siol.si.:
>>> DATA
<<< (Lost this data in publishing (was between < and >) including </span)
They can only be notified by a page on their website.
22 October: The usual.

Operator.log:
%%%%%%%%%%% OPCOM 22-OCT-2005 22:29:27.47 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: d078025.adsl.hansenet.de
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.051023002919p]

anonymous_ftp.log:
22-OCT-2005 22:29:26.27 User:anonymous logged in ident:Fgpuser@home.com from Host:d078025.adsl.hansenet.de
22-OCT-2005 22:29:27.36 User:anonymous ident:Fgpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
22-OCT-2005 22:29:28.37 User:anonymous ident:Fgpuser@home.com logged out

ftp_run.log:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from d078025.adsl.hansenet.de at 22-OCT-2005 22:29:26.06
%TCPIP-I-FTP_NODE, client host name: d078025.adsl.hansenet.de
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00020: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
%TCPIP-I-FTP_NODE, client host name: d078025.adsl.hansenet.de
%TCPIP-I-FTP_USER, user name: anonymous

Same for:
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/

Another attempt:

%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.051023002919p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00020: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: d078025.adsl.hansenet.de
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00020: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
%TCPIP-I-FTP_NODE, client host name: d078025.adsl.hansenet.de
%TCPIP-I-FTP_USER, user name: anonymous

and the same for:

%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /admin/
%TCPIP-I-FTP_OBJ, object: /administrator/
%TCPIP-I-FTP_OBJ, object: /web/
%TCPIP-I-FTP_OBJ, object: /webmaster/
%TCPIP-I-FTP_OBJ, object: /webadmin/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /backup/
%TCPIP-I-FTP_OBJ, object: /test/
%TCPIP-I-FTP_OBJ, object: /site/
%TCPIP-I-FTP_OBJ, object: /website/
%TCPIP-I-FTP_OBJ, object: /sites/
%TCPIP-I-FTP_OBJ, object: /homepage/
%TCPIP-I-FTP_OBJ, object: / /

Finally:

%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from d078025.adsl.hansenet.de at 22-OCT-2005 22:29:28.42

Some company from Germany (www.hansanet.de) that offers training - and allows this access? Their e-mail link give an invalid page. And according the error page (in Dutch!) gives information on their server:

Apache/2.0.49 (Linux/SuSE)

I don't know if they can be contacted...Site hacked, or proxied?
At least, mailed to what I found there: info@hansanet.de.

GOOGLE

Found Google in the anonymous-FTP log that goes back to 22-Aug-2004: it seems that google is scanning anonymous-FTP as well, since 8-Sep-2005:

8-SEP-2005 21:51:36.87 User:anonymous logged in ident:googlebot@google.com from Host:crawl-66-249-66-8.googlebot.com
8-SEP-2005 21:51:37.71 User:anonymous ident:googlebot@google.com status:00010001 CWD dir:WEB_DISK:[public.anonymous.perl]
8-SEP-2005 21:51:38.33 User:anonymous ident:googlebot@google.com logged out

I haven't seen google in this log before!

FTP_Run.log:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from crawl-66-249-66-8.googlebot.com at 8-SEP-2005 21:51:36.41
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from crawl-66-249-66-8.googlebot.com at 8-SEP-2005 21:51:38.47

It doens't access the site very often, the next access is 17-Sep-2005 and that one contains an error, and every access after that as well:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from crawl-66-249-65-80.googlebot.com at 17-SEP-2005 10:06:27.74
%TCPIP-I-FTP_NODE, client host name: crawl-66-249-65-80.googlebot.com
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: 66.249.65.80
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00013: Can't open data connection
%SYSTEM-F-TIMEOUT, device timeout
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from crawl-66-249-65-80.googlebot.com at 17-SEP-2005 10:08:29.83

Since nothing changed, what caused it? I warned them of the issue.

No SOAP?
Not much this time since the project on the customer site was just an investigation and it dies work. Some issues still exist: How to get header information inside, differences in WSDL... For both, clues have been passed by the axis-user mailgroup so I can get on, testing it on Diane. A collegue is willing to investigate usage of Delphi for a client, but since the project itself is using plain .NET, it might be a better idea to use a client of that. The difference in WSDL could be solved by specifying the WSDL myself in deployment. Now to find out how the do that...
(To be continued)

posted by SYSMGR @ 12:00 AM 

0 Comments:

Post a Comment

<< Home