SYSMGR

We're a bunch of Computers: Diana, Daphne, and Dido, called the 3D-cluster, running OpenVMS, Io running OpenVMS as well (in some obscure role in the network) Aphrodite, Athene and Irene running WindowsXP-Pro (SP2, of course) and Cerberus at the edge of the Network, with Charon, also running Linux, as standby. SYSMGR takes care of us.

Tuesday, November 15

15-Nov-2005

Weird visit from Japan
Today's logfile showed a vistor from the other side of the globe - must have been around midnight over there:

%%%%%%%%%%% OPCOM 15-NOV-2005 13:07:30.58 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
UserName: anonymous
Source: mail.hiroshige.co.jp
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.web.temp^.3226]

%%%%%%%%%%% OPCOM 15-NOV-2005 13:07:36.06 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: mail.hiroshige.co.jp
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.temp^.3226]

Anonymous - he thinks - but TCPIP$FTP_ANONYMOUS.LOG reveals the host where the attempt was made from:

15-NOV-2005 13:07:14.68 User:anonymous logged in ident:bot@search.net from Host:mail.hiroshige.co.jp
15-NOV-2005 13:07:42.48 User:anonymous ident:bot@search.net logged out

Some bot trying to steal information?

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from mail.hiroshige.co.jp at 15-NOV-2005 13:07:12.81
%TCPIP-I-FTP_NODE, client host name: mail.hiroshige.co.jp
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object:
-%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00001: insufficient privilege or file protection violation!
18 more of these, then the first failure logged:
%TCPIP-I-FTP_NODE, client host name: mail.hiroshige.co.jp
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.web.temp^.3226]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00001: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: mail.hiroshige.co.jp
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00001: insufficient privilege or file protection violation!
4 more, and the second failure:
%TCPIP-I-FTP_NODE, client host name: mail.hiroshige.co.jp
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.temp^.3226]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00001: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: mail.hiroshige.co.jp
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: -
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00001: insufficient privilege or file protection violation!
7 more times trying to get up, and that was enough:
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from mail.hiroshige.co.jp at 15-NOV-2005 13:07:42.53
of the script wore out.

mail.hiroshige.co.jp ---- virus? Just tell them.
www.hiroshige.co.jp shows that this company makes all kind of things (as so many Japanese companies), from motor and airco parts to LCD screens and printed circuit boards. Quite likely that their mailserver was hijacked or hacked.

posted by SYSMGR @ 11:40 PM 

0 Comments:

Post a Comment

<< Home