24-Jan-2006
Some keep trying
like this one in FTP, that has tried before (at least, there have been access attempts from a DIALIN.NET user before):
%%%%%%%%%%% OPCOM 24-JAN-2006 17:44:44.80 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: p54AE7108.dip.t-dialin.net
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.060124174541p]
As usual, just a short period, accoring anonymous_ftp.log:
24-JAN-2006 17:44:41.08 User:anonymous logged in ident:Zgpuser@home.com from Host:p54AE7108.dip.t-dialin.net
24-JAN-2006 17:44:44.51 User:anonymous ident:Zgpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
24-JAN-2006 17:44:47.90 User:anonymous ident:Zgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]tagged.;
24-JAN-2006 17:44:48.03 User:anonymous ident:Zgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]Tagged.;
24-JAN-2006 17:44:48.12 User:anonymous ident:Zgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]TaGGeD.;
24-JAN-2006 17:44:48.26 User:anonymous ident:Zgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]data.;.;
24-JAN-2006 17:44:48.39 User:anonymous ident:Zgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]Data.;.;
24-JAN-2006 17:44:48.55 User:anonymous ident:Zgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]^%.;.;.;
24-JAN-2006 17:44:48.69 User:anonymous ident:Zgpuser@home.com logged out
about 7 seconds - a script, obviously since I doubt very much that someone could type that fast.
There was quite a lot more - as is shown in FTP_RUN.LOG. Firts, just trying to access directories:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from p54AE7108.dip.t-dialin.net at 24-JAN-2006 17:44:38.59
%TCPIP-I-FTP_NODE, client host name: p54AE7108.dip.t-dialin.net
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00001: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
and other directories the same way - and the same error:
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /public/
Next a change in behaviour: now there is the try to create a directory, and next trying to access from there (assumed - the script is unknown)
%TCPIP-I-FTP_NODE, client host name: p54AE7108.dip.t-dialin.net
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.060124174541p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00001: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: p54AE7108.dip.t-dialin.net
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00001: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
and the same error occurs on accessing other directories:
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /home/
Weird that all these are not signalled in anonymous_ftp.log - because of the Unix format, perhaps? When looking like VMS specification, they do show up:
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]tagged
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]Tagged
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]TaGGeD
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]data
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]Data
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]^%
This guy - or his program - has some idea of how VMS filespecs look like - but not good enough. "^" as an escape character is right, but not the position. ":", "[" ands "]" are valid for VMS, you know....
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from p54AE7108.dip.t-dialin.net at 24-JAN-2006 17:44:48.73
Bad mail was limited:
24-JAN-2006 04:11:08.62 BADMF peter@yahoo.com
24-JAN-2006 04:11:16.61 BADMF peter@yahoo.com
24-JAN-2006 04:11:24.61 BADMF peter@yahoo.com
24-JAN-2006 05:05:28.24 CLNTINRBL 143.248.223.218
24-JAN-2006 06:32:20.14 CLNTINRBL 58.51.89.8
24-JAN-2006 14:28:05.85 CLNTINRBL 69.173.46.107
24-JAN-2006 14:28:20.65 CLNTINRBL 221.10.98.121
24-JAN-2006 14:29:58.55 CLNTINRBL 200.242.18.80
24-JAN-2006 14:30:09.97 CLNTINRBL 201.44.0.238
24-JAN-2006 14:31:45.06 CLNTINRBL 210.181.15.157
24-JAN-2006 14:39:53.24 NOSPAMRLY 125.188.61.77 gjwns_22@daum.net
24-JAN-2006 18:34:55.36 NOSPAMRLY 221.140.55.69 smtphunter22@daum.net
24-JAN-2006 19:58:59.72 CLNTINRBL 24.166.164.89
and most are already known.
0 Comments:
Post a Comment
<< Home