SYSMGR

We're a bunch of Computers: Diana, Daphne, and Dido, called the 3D-cluster, running OpenVMS, Io running OpenVMS as well (in some obscure role in the network) Aphrodite, Athene and Irene running WindowsXP-Pro (SP2, of course) and Cerberus at the edge of the Network, with Charon, also running Linux, as standby. SYSMGR takes care of us.

Tuesday, December 27

26-Dec-2005

Security report
FTP:
There has been two attempts since last reboot (23-Dec-2005).
The first one appears to be some script-kiddy in Poland:

%%%%%%%%%%% OPCOM 24-DEC-2005 04:25:09.63 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: abyq115.neoplus.adsl.tpnet.pl
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.051224042455p]

Like so often, it's just a few seconds:

24-DEC-2005 04:25:08.41 User:anonymous logged in ident:Ogpuser@home.com from Host:abyq115.neoplus.adsl.tpnet.pl
24-DEC-2005 04:25:09.50 User:anonymous ident:Ogpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
24-DEC-2005 04:25:12.20 User:anonymous ident:Ogpuser@home.com logged out

In these three seconds, he tried this:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from abyq115.neoplus.adsl.tpnet.pl at 24-DEC-2005 04:25:08.13
%TCPIP-I-FTP_NODE, client host name: abyq115.neoplus.adsl.tpnet.pl
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.051224042455p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0000E: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: abyq115.neoplus.adsl.tpnet.pl
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0000E: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
%TCPIP-I-FTP_NODE, client host name: abyq115.neoplus.adsl.tpnet.pl
%TCPIP-I-FTP_USER, user name: anonymous


and the expected sequence of:

%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_cfg/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /public_html/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /web/
%TCPIP-I-FTP_OBJ, object: /www/
%TCPIP-I-FTP_OBJ, object: /html/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /~temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /~tmp/
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/

Finally:
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from abyq115.neoplus.adsl.tpnet.pl at 24-DEC-2005 04:25:12.29

It seems that this provider can only be contacted in Polish - which I don't master. So by this: be warned about tpnet.pl!

The second one seems to be from the USA:

%%%%%%%%%%% OPCOM 26-DEC-2005 01:52:48.84 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: www.vcgg.com
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.051225195248p]

Once again, a shorty connection:

26-DEC-2005 01:52:46.22 User:anonymous logged in ident:Hgpuser@home.com from Host:www.vcgg.com
26-DEC-2005 01:52:47.35 User:anonymous ident:Hgpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
26-DEC-2005 01:52:54.48 User:anonymous ident:Hgpuser@home.com logged out

There seems nothing wrong here, it might have started by hand but the rest must have been a script:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from www.vcgg.com at 26-DEC-2005 01:52:45.90
%TCPIP-I-FTP_NODE, client host name: www.vcgg.com
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.051225195248p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00013: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: www.vcgg.com
%TCPIP-I-FTP_USER, user name: anonymous


the rest is the "normal" sequence:

%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_cfg/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /public_html/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /web/
%TCPIP-I-FTP_OBJ, object: /www/
%TCPIP-I-FTP_OBJ, object: /html/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /~temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /~tmp/
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_OBJ, object: /tagged/
%TCPIP-I-FTP_OBJ, object: /tagged.by/

%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from www.vcgg.com at 26-DEC-2005 01:52:54.59


WHOIS for vcgg.com shows it's a law firm in the US:

Registrant:
Vellines, Cobbs, Goodwin & Glass Attorney's At Law
Echols Bldg, Court Square
Staunton, VA 24401US
Domain Name: VCGG.COM
Administrative Contact:
Goodwin, Chap chap@VCGG.COM
Velines Cobbs, Goodwin & Glass Attorney's At Law
Echols Bldg, Court Square
Staunton, VA 24401
US (540) 885-1205 fax: (540) 885-7599
Technical Contact:
Administrator, DNS dns@ntelos.net
Ntelos, Inc.1154 Shenandoah Village DrWaynesboro, VA 22980
US (540) 946-2638 fax: (540) 942-3000
Record expires on 01-May-2006.
Record created on 30-Apr-1997.
Database last updated on 27-Dec-2005 11:35:03 EST.


The website the attempt came from (www.vcgg.com) requires authentication. Either it's hacked, abused in some way of there is a virus on it. I have signalled this to the only contact I could find.
Mail
Not that many since 23-Dec-2005:

23-DEC-2005 21:28:41.83 CLNTINRBL 24.232.12.228
23-DEC-2005 21:37:17.41 CLNTINRBL 210.243.234.200
23-DEC-2005 21:37:34.24 CLNTINRBL 82.210.168.183
23-DEC-2005 21:37:41.62 CLNTINRBL 66.77.153.151
23-DEC-2005 21:37:49.24 CLNTINRBL 195.0.210.77
23-DEC-2005 22:57:48.60 NOSPAMRLY 125.188.61.77 gjwns_11@daum.net
23-DEC-2005 07:12:47.29 CLNTINRBL 68.58.26.158
23-DEC-2005 09:14:48.18 CLNTINRBL 81.181.170.151
23-DEC-2005 11:37:35.88 NOSPAMRLY 222.156.13.9 sogiant.service@msa.hinet.net
24-DEC-2005 14:19:00.68 BADMF gilbert@yahoo.com
24-DEC-2005 14:19:08.18 BADMF gilbert@yahoo.com
24-DEC-2005 14:19:14.80 BADMF gilbert@yahoo.com
24-DEC-2005 18:04:03.71 CLNTINRBL 211.57.76.80
25-DEC-2005 00:12:18.40 BADMF geoffrey@yahoo.com
25-DEC-2005 00:12:26.17 BADMF geoffrey@yahoo.com
25-DEC-2005 00:12:34.04 BADMF geoffrey@yahoo.com
25-DEC-2005 03:53:42.75 CLNTINRBL 65.191.125.145
25-DEC-2005 08:05:33.53 CLNTINRBL 209.174.244.2
25-DEC-2005 08:05:40.13 CLNTINRBL 4.43.58.2
25-DEC-2005 08:05:47.54 CLNTINRBL 66.137.139.67
25-DEC-2005 08:05:55.35 CLNTINRBL 200.35.85.234
25-DEC-2005 08:06:18.77 CLNTINRBL 206.53.3.70
25-DEC-2005 08:06:29.18 CLNTINRBL 222.165.140.163
25-DEC-2005 08:06:40.99 CLNTINRBL 64.207.70.91
25-DEC-2005 12:17:08.10 CLNTINRBL 212.156.219.2
25-DEC-2005 21:49:08.32 CLNTINRBL 84.10.240.38
26-DEC-2005 22:33:48.12 BADMF henry@yahoo.com
26-DEC-2005 22:33:54.76 BADMF henry@yahoo.com
26-DEC-2005 22:34:00.70 BADMF henry@yahoo.com

0 Comments:

Post a Comment

<< Home