SYSMGR

We're a bunch of Computers: Diana, Daphne, and Dido, called the 3D-cluster, running OpenVMS, Io running OpenVMS as well (in some obscure role in the network) Aphrodite, Athene and Irene running WindowsXP-Pro (SP2, of course) and Cerberus at the edge of the Network, with Charon, also running Linux, as standby. SYSMGR takes care of us.

Friday, February 24

23-Feb-2006

Security
Found two attempts in the log, on FTP:

I've got this one before - at least: from the same network in Poland:

%%%%%%%%%%% OPCOM 23-FEB-2006 02:30:24.92 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: cje3.neoplus.adsl.tpnet.pl
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.060223023214p]

The connection lasts just 4 seconds:
23-FEB-2006 02:30:24.22 User:anonymous logged in ident:Agpuser@home.com from Host:cje3.neoplus.adsl.tpnet.pl
23-FEB-2006 02:30:24.68 User:anonymous ident:Agpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
23-FEB-2006 02:30:28.01 User:anonymous ident:Agpuser@home.com logged out

Ha: Script kiddy since trying to dump his stuff ? (and of course: Windows, and probably Linux based)) because no-one can type that fast, that this data is logged:
%TCPIP-I-FTP_NODE, client host name: cje3.neoplus.adsl.tpnet.pl
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.060223023214p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00028: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation

This script of course has no error handling (why would it, it's crap, and most systems would accept it), because it just continues:
%TCPIP-I-FTP_NODE, client host name: cje3.neoplus.adsl.tpnet.pl
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00028: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format

and so on for:
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_cfg/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /public_html/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /web/
%TCPIP-I-FTP_OBJ, object: /www/
%TCPIP-I-FTP_OBJ, object: /html/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /~temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /~tmp/
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/

and finally logged out.
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from cje3.neoplus.adsl.tpnet.pl at 23-FEB-2006 02:30:28.11

The second one seems not to have a DNS entry:

%%%%%%%%%%% OPCOM 23-FEB-2006 06:42:38.46 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: 216.191.217.3
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.060223064435p]

This lasted a bit longer: 22 seconds:
23-FEB-2006 06:42:22.57 User:anonymous logged in ident:Hgpuser@home.com from Host:216.191.217.3
23-FEB-2006 06:42:35.93 User:anonymous ident:Hgpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
23-FEB-2006 06:42:44.44 User:anonymous ident:Hgpuser@home.com logged out

Again, I suspect a script, but some might be done manually (buffer recall is fast enough) and a good typer coud make it:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 216.191.217.3 at 23-FEB-2006 06:42:19.19
%TCPIP-I-FTP_NODE, client host name: 216.191.217.3
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0002A: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format

There is no PUB directory, nor one of the following:
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/

Next, I guess this one wants to drop his stuff on a new, probably "hidden" directory (and there is no such thing on VMS)
%TCPIP-I-FTP_NODE, client host name: 216.191.217.3
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.060223064435p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0002A: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation

and on that one, a directory:
%TCPIP-I-FTP_NODE, client host name: 216.191.217.3
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0002A: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format

and two more:
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /inetpub/

which don't exist either.. He gave up:
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from 216.191.217.3 at 23-FEB-2006 06:42:44.54

Who is behind this address:

OrgName: Allstream Corp. Corporation Allstream
OrgID: ACCA-2
Address: 200 Wellington Street West
Address: 16th FloorCity: Toronto
StateProv: ON
PostalCode: M5V-3G2
Country: CA

ReferralServer: rwhois://rwhois.allstream.com:4321

NetRange: 216.191.0.0 - 216.191.255.255
CIDR: 216.191.0.0/16
NetName: ALLSTREAM-8
NetHandle: NET-216-191-0-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.BUSINESS.ALLSTREAM.NET
NameServer: NS2.BUSINESS.ALLSTREAM.NET
Comment:
RegDate:
Updated: 2004-02-03

Canadian - and they have an abuse address. Good: they will be informed.

0 Comments:

Post a Comment

<< Home