25-Oct-2005
Security update
Checked the logfiles this week and found a number of attempts again - I guess (not yet checked) these were from script kiddies - there may have been one more serios attempt. None succeeded (of course):
13 october: Script kiddy at work:
Operator.log:
%%%%%%%%%%% OPCOM 13-OCT-2005 08:39:10.17 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: static-64-83-19-37.dsl.cavtel.net
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.051013042324p]
ftp_run.log:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from static-64-83-19-37.dsl.cavtel.net at 13-OCT-2005 08:39:08.72
%TCPIP-I-FTP_NODE, client host name: static-64-83-19-37.dsl.cavtel.net
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.051013042324p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00005: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: static-64-83-19-37.dsl.cavtel.net
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00005: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
%TCPIP-I-FTP_NODE, client host name: static-64-83-19-37.dsl.cavtel.net
%TCPIP-I-FTP_USER, user name: anonymous
same for:
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_cfg/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /public_html/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /web/
%TCPIP-I-FTP_OBJ, object: /www/
%TCPIP-I-FTP_OBJ, object: /html/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /~temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /~tmp/
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_OBJ, object: /tagged/
%TCPIP-I-FTP_OBJ, object: /tagged.by/
Finally:
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from static-64-83-19-37.dsl.cavtel.net at 13-OCT-2005 08:39:16.41
Indeed - an ISP: http://www.cavtel.net, will be notified.
(Notification failed on abuse@cavtel.net)
----- The following addresses had permanent fatal errors -----
ABUSE@cavtel.net
(reason: 550 Gateway: 550 This user's mailbox is full (abuse@cavtel.net) - Try again later)
----- Transcript of session follows -----
... while talking to mx-incoming.cavtel.net.:
>>> RCPT To:<abuse@cavtel.net>;
<<< <abuse@cavtel.net>... User unknown
And this mail address is on their website!
16 october: a break-in attempt via port 20 or 21 (plain FTP)
ftp_run.log
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from sipco92.sipco.fr at 16-OCT-2005 02:55:17.59
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from sipco92.sipco.fr at 16-OCT-2005 02:55:17.69
%TCPIP-E-FTP_LOGFAL, remote interactive login failure test
-TCPIP-I-FTP_NODE, client host name: sipco92.sipco.fr
-LOGIN-F-NOSUCHUSER, no such user
followed by 15 more attempts...
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from sipco92.sipco.fr at 16-OCT-2005 02:55:21.80
%TCPIP-E-FTP_LOGFAL, remote interactive login failure test
-TCPIP-I-FTP_NODE, client host name: sipco92.sipco.fr
-LOGIN-F-NOSUCHUSER, no such user
A French company (www.sipco.fr) but they can be contacted.
They have been.
18 october. This one is different:
Operator.log:
%%%%%%%%%%% OPCOM 18-OCT-2005 22:09:43.76 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: 67.90.151.213.kve.cz
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.web.temp^.5995]
%%%%%%%%%%% OPCOM 18-OCT-2005 22:09:48.37 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: 67.90.151.213.kve.cz
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.temp^.5995]
anonymous_ftp.log:
18-OCT-2005 22:09:29.71 User:anonymous logged in ident:bot@search.net from Host:67.90.151.213.kve.cz
18-OCT-2005 22:09:53.71 User:anonymous ident:bot@search.net logged out
ftp_run.log:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 67.90.151.213.kve.cz at 18-OCT-2005 22:09:28.33
%TCPIP-I-FTP_NODE, client host name: 67.90.151.213.kve.cz
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0001B: insufficient privilege or file protection violation!
%TCPIP-I-FTP_NODE, client host name: 67.90.151.213.kve.cz
%TCPIP-I-FTP_USER, user name: anonymous
Tries this a number of times:
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
Then tries another location:
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.web.temp^.5995]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0001B: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: 67.90.151.213.kve.cz
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0001B: insufficient privilege or file protection violation!
%TCPIP-I-FTP_NODE, client host name: 67.90.151.213.kve.cz
%TCPIP-I-FTP_USER, user name: anonymous
and again, tries it again to get up:
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
and another location:
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.temp^.5995]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0001B: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: 67.90.151.213.kve.cz
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0001B: insufficient privilege or file protection violation!
%TCPIP-I-FTP_NODE, client host name: 67.90.151.213.kve.cz
%TCPIP-I-FTP_USER, user name: anonymous
yet again, a number of attempts to browse up:
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_OBJ, object: -
Finally gives up...
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from 67.90.151.213.kve.cz at 18-OCT-2005 22:09:53.86
What is he trying to achieve? browsing from give points? 'Search.net' may hold a clue. Anyway, address 213.151.90.76 is now to be investigated. Or is it a proxy from kvw.cz?
21 October: The usual again
A bit different, though.
Operator.log:
%%%%%%%%%%% OPCOM 21-OCT-2005 07:29:49.17 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: BSN-77-159-9.dsl.siol.net
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.051021092357p]
anonymous_ftp.log:
21-OCT-2005 07:29:47.94 User:anonymous logged in ident:Qgpuser@home.com from Host:BSN-77-159-9.dsl.siol.net
21-OCT-2005 07:29:49.02 User:anonymous ident:Qgpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
21-OCT-2005 07:29:50.41 User:anonymous ident:Qgpuser@home.com status:000186D4 CWD dir:/c:/
21-OCT-2005 07:29:50.69 User:anonymous ident:Qgpuser@home.com logged out
How pathetic: notice he tries to access a Windows disk...
ftp_run.log:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from BSN-77-159-9.dsl.siol.net at 21-OCT-2005 07:29:47.71
%TCPIP-I-FTP_NODE, client host name: BSN-77-159-9.dsl.siol.net
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0001F: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
%TCPIP-I-FTP_NODE, client host name: BSN-77-159-9.dsl.siol.net
%TCPIP-I-FTP_USER, user name: anonymous
Now the normal sequence:
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
Tries another location:
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.051021092357p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0001F: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: BSN-77-159-9.dsl.siol.net
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0001F: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
%TCPIP-I-FTP_NODE, client host name: BSN-77-159-9.dsl.siol.net
%TCPIP-I-FTP_USER, user name: anonymous
and again, the same sequence:
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /~tmp/
%TCPIP-I-FTP_OBJ, object: /.tmp/
%TCPIP-I-FTP_OBJ, object: /_tmp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_script/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /scripts/
%TCPIP-I-FTP_OBJ, object: /bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /c:/
%TCPIP-I-FTP_OBJ, object: / /
Finally logs out - having achived nothin, just leaving his trails:
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from BSN-77-159-9.dsl.siol.net at 21-OCT-2005 07:29:50.74
an ISP http://www.siol.net located in Slovania. Will be notified.
(Notification failed on abuse@siol.net)
----- The following addresses had permanent fatal errors -----
ABUSE@siol.si
(reason: 550 Invalid recipient: ABUSE@siol.si)
----- Transcript of session follows -----
... while talking to mailhub.siol.si.:
>>> DATA
<<< (Lost this data in publishing (was between < and >) including </span)
They can only be notified by a page on their website.
22 October: The usual.
Operator.log:
%%%%%%%%%%% OPCOM 22-OCT-2005 22:29:27.47 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: d078025.adsl.hansenet.de
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.051023002919p]
anonymous_ftp.log:
22-OCT-2005 22:29:26.27 User:anonymous logged in ident:Fgpuser@home.com from Host:d078025.adsl.hansenet.de
22-OCT-2005 22:29:27.36 User:anonymous ident:Fgpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
22-OCT-2005 22:29:28.37 User:anonymous ident:Fgpuser@home.com logged out
ftp_run.log:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from d078025.adsl.hansenet.de at 22-OCT-2005 22:29:26.06
%TCPIP-I-FTP_NODE, client host name: d078025.adsl.hansenet.de
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00020: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
%TCPIP-I-FTP_NODE, client host name: d078025.adsl.hansenet.de
%TCPIP-I-FTP_USER, user name: anonymous
Same for:
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
Another attempt:
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.051023002919p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00020: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: d078025.adsl.hansenet.de
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00020: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
%TCPIP-I-FTP_NODE, client host name: d078025.adsl.hansenet.de
%TCPIP-I-FTP_USER, user name: anonymous
and the same for:
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /admin/
%TCPIP-I-FTP_OBJ, object: /administrator/
%TCPIP-I-FTP_OBJ, object: /web/
%TCPIP-I-FTP_OBJ, object: /webmaster/
%TCPIP-I-FTP_OBJ, object: /webadmin/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /backup/
%TCPIP-I-FTP_OBJ, object: /test/
%TCPIP-I-FTP_OBJ, object: /site/
%TCPIP-I-FTP_OBJ, object: /website/
%TCPIP-I-FTP_OBJ, object: /sites/
%TCPIP-I-FTP_OBJ, object: /homepage/
%TCPIP-I-FTP_OBJ, object: / /
Finally:
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from d078025.adsl.hansenet.de at 22-OCT-2005 22:29:28.42
Some company from Germany (www.hansanet.de) that offers training - and allows this access? Their e-mail link give an invalid page. And according the error page (in Dutch!) gives information on their server:
Apache/2.0.49 (Linux/SuSE)
I don't know if they can be contacted...Site hacked, or proxied?
At least, mailed to what I found there: info@hansanet.de.
Found Google in the anonymous-FTP log that goes back to 22-Aug-2004: it seems that google is scanning anonymous-FTP as well, since 8-Sep-2005:
8-SEP-2005 21:51:36.87 User:anonymous logged in ident:googlebot@google.com from Host:crawl-66-249-66-8.googlebot.com
8-SEP-2005 21:51:37.71 User:anonymous ident:googlebot@google.com status:00010001 CWD dir:WEB_DISK:[public.anonymous.perl]
8-SEP-2005 21:51:38.33 User:anonymous ident:googlebot@google.com logged out
I haven't seen google in this log before!
FTP_Run.log:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from crawl-66-249-66-8.googlebot.com at 8-SEP-2005 21:51:36.41
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from crawl-66-249-66-8.googlebot.com at 8-SEP-2005 21:51:38.47
It doens't access the site very often, the next access is 17-Sep-2005 and that one contains an error, and every access after that as well:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from crawl-66-249-65-80.googlebot.com at 17-SEP-2005 10:06:27.74
%TCPIP-I-FTP_NODE, client host name: crawl-66-249-65-80.googlebot.com
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: 66.249.65.80
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00013: Can't open data connection
%SYSTEM-F-TIMEOUT, device timeout
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from crawl-66-249-65-80.googlebot.com at 17-SEP-2005 10:08:29.83
Since nothing changed, what caused it? I warned them of the issue.
No SOAP?
Not much this time since the project on the customer site was just an investigation and it dies work. Some issues still exist: How to get header information inside, differences in WSDL... For both, clues have been passed by the axis-user mailgroup so I can get on, testing it on Diane. A collegue is willing to investigate usage of Delphi for a client, but since the project itself is using plain .NET, it might be a better idea to use a client of that. The difference in WSDL could be solved by specifying the WSDL myself in deployment. Now to find out how the do that...
(To be continued)
0 Comments:
Post a Comment
<< Home