SYSMGR: 27-Feb-2006

Logs
were cycles properly - including Apache logs. Apache_index.html has indeed been re-created and shows 3 empty and 1 big ACCESS_LOG files - like last week.
Web security
Found of course a few interesting abuse attempts in http, running scripts I don't have (so they warn me anyway):
File does not exist: /www/awstats/awstats.pl
script not found or unable to stat: /apache$root/cgi-bin/awstats.pl
script not found or unable to stat: /apache$root/cgi-bin/awstats
File does not exist: /www/index.php
File does not exist: /www/mambo/index2.php
File does not exist: /www/cvs/index2.php
File does not exist: /www/articles/mambo/index2.php
File does not exist: /www/xmlrpc.php
File does not exist: /www/blog/xmlrpc.php
File does not exist: /www/blog/xmlsrv/xmlrpc.php
File does not exist: /www/blogs/xmlsrv/xmlrpc.php
File does not exist: /www/drupal/xmlrpc.php
File does not exist: /www/phpgroupware/xmlrpc.php
File does not exist: /www/wordpress/xmlrpc.php
File does not exist: /www/xmlrpc/xmlrpc.php
File does not exist: /www/xmlsrv/xmlrpc.php
File does not exist: /www/ + /
File does not exist: /www/phpmyadmin/main.php
File does not exist: /www/cvs/index2.php
File does not exist: /www/articles/mambo/index2.php
File does not exist: /www/cvs/mambo/index2.php
Addresses that tried some or all of these:
63.126.131.10
67.19.26.114
69.183.25.176
81.169.169.215
200.43.57.210
202.157.177.49
203.146.247.69
210.19.111.9
218.104.211.118
Some other (typ0? since these are the only, single-line ones this week)
[Thu Feb 23 05:37:53 2006] [error] [client 213.254.203.210] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
and this line:
File does not exist: /www/OpenVMS/perl/binarykit/perl-5_8_4-vmsaxp-7_2-1.zip
More on security
Ftp had just two scripts running, that tried a lot.
The first one seems to me a hacked mail server - shame on SIEMENS!
%%%%%%%%%%% OPCOM 24-FEB-2006 01:32:03.89 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: mail.siemens.com.by
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.060224023453p]
just 9 seconds:
24-FEB-2006 01:31:59.97 User:anonymous logged in ident:Kgpuser@home.com from Host:mail.siemens.com.by
24-FEB-2006 01:32:03.66 User:anonymous ident:Kgpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
24-FEB-2006 01:32:07.05 User:anonymous ident:Kgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]tagged.;
24-FEB-2006 01:32:07.23 User:anonymous ident:Kgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]Tagged.;
24-FEB-2006 01:32:07.40 User:anonymous ident:Kgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]TaGGeD.;
24-FEB-2006 01:32:07.68 User:anonymous ident:Kgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]data.;.;
24-FEB-2006 01:32:07.85 User:anonymous ident:Kgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]Data.;.;
24-FEB-2006 01:32:08.10 User:anonymous ident:Kgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]^%.;.;.;
24-FEB-2006 01:32:09.14 User:anonymous ident:Kgpuser@home.com logged out
and attempting:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from mail.siemens.com.by at 24-FEB-2006 01:31:59.58
%TCPIP-I-FTP_NODE, client host name: mail.siemens.com.by
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0002B: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
and the same on:
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /public/
Next trying a new directory:
%TCPIP-I-FTP_NODE, client host name: mail.siemens.com.by
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.060224023453p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0002B: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: mail.siemens.com.by
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0002B: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
and this goes on:
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]tagged
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]Tagged
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]TaGGeD
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]data
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]Data
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]^%
and the script ends without doing harm (but using resources and bandwith).
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from mail.siemens.com.by at 24-FEB-2006 01:32:09.24

The other one is from France:
%%%%%%%%%%% OPCOM 25-FEB-2006 05:05:10.98 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: AFontenayssB-151-1-46-55.w82-121.abo.wanadoo.fr
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.060225050703p]
It took just 4 seconds:
25-FEB-2006 05:05:10.25 User:anonymous logged in ident:Pgpuser@home.com from Host:AFontenayssB-151-1-46-55.w82-121.abo.wanadoo.fr
25-FEB-2006 05:05:10.79 User:anonymous ident:Pgpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
25-FEB-2006 05:05:14.96 User:anonymous ident:Pgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]incoming.;
25-FEB-2006 05:05:17.48 User:anonymous ident:Pgpuser@home.com logged out
to learn this all doesn't work:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from AFontenayssB-151-1-46-55.w82-121.abo.wanadoo.fr at 25-FEB-2006 05:05:09.86
%TCPIP-I-FTP_NODE, client host name: AFontenayssB-151-1-46-55.w82-121.abo.wanadoo.fr
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.060225050703p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0002C: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: AFontenayssB-151-1-46-55.w82-121.abo.wanadoo.fr%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0002C: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
and the same for this bunch opf directories:
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /cgibin/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /in/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /audio/
%TCPIP-I-FTP_OBJ, object: / /
%TCPIP-I-FTP_OBJ, object: / /
%TCPIP-I-FTP_OBJ, object: / /
%TCPIP-I-FTP_OBJ, object: / /
%TCPIP-I-FTP_OBJ, object: / /
%TCPIP-I-FTP_OBJ, object: /.tmp/
%TCPIP-I-FTP_OBJ, object: /win/
%TCPIP-I-FTP_OBJ, object: //
%TCPIP-I-FTP_OBJ, object: /root/
%TCPIP-I-FTP_OBJ, object: /games/
%TCPIP-I-FTP_OBJ, object: /inetpub/
%TCPIP-I-FTP_OBJ, object: /_derived/
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]incoming
%TCPIP-I-FTP_OBJ, object: /wwwrootx/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /webroot/
%TCPIP-I-FTP_OBJ, object: /bin/
%TCPIP-I-FTP_OBJ, object: /dev/
%TCPIP-I-FTP_OBJ, object: /etc/
%TCPIP-I-FTP_OBJ, object: /lib/
%TCPIP-I-FTP_OBJ, object: /share/
%TCPIP-I-FTP_OBJ, object: /_kurdt/
%TCPIP-I-FTP_OBJ, object: /log/
%TCPIP-I-FTP_OBJ, object: /logs/
%TCPIP-I-FTP_OBJ, object: /_aux/
%TCPIP-I-FTP_OBJ, object: /aux/
%TCPIP-I-FTP_OBJ, object: /com1/
%TCPIP-I-FTP_OBJ, object: /com2/
%TCPIP-I-FTP_OBJ, object: /com3/
%TCPIP-I-FTP_OBJ, object: /aux1/
%TCPIP-I-FTP_OBJ, object: /aux2/
%TCPIP-I-FTP_OBJ, object: /aux3/
%TCPIP-I-FTP_OBJ, object: /ltp1/
%TCPIP-I-FTP_OBJ, object: /ltp2/
%TCPIP-I-FTP_OBJ, object: /ltp3/
%TCPIP-I-FTP_OBJ, object: /scan/
%TCPIP-I-FTP_OBJ, object: /scanned/
%TCPIP-I-FTP_OBJ, object: /tag/
%TCPIP-I-FTP_OBJ, object: /taggued/
%TCPIP-I-FTP_OBJ, object: /_sysops/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
Again, without harm but using diskspace (above are just the lines stating what has been tried, I removed all lines stating the failure) he loggded out:
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from AFontenayssB-151-1-46-55.w82-121.abo.wanadoo.fr at 25-FEB-2006 05:05:17.57
I may signal this to the ISP, but I have my doubts on what may be done to prevent this...

Mail had just a few:

24-FEB-2006 00:56:13.75 CLNTINRBL 85.136.165.215
and 12 more with an interval of about 10 seconds
24-FEB-2006 03:38:53.30 NOSPAMRLY 58.225.75.149 ehstkah@hanmail.net
24-FEB-2006 04:22:23.41 NOSPAMRLY 125.188.63.10 gjwns_22@daum.net
24-FEB-2006 07:54:26.64 CLNTINRBL 81.214.130.89
24-FEB-2006 12:24:53.95 NOSPAMRLY 221.140.55.69 louisjin@netian.com
24-FEB-2006 17:48:24.60 CLNTINRBL 213.25.140.4
24-FEB-2006 23:54:22.09 CLNTINRBL 61.78.125.154
25-FEB-2006 01:11:04.58 CLNTINRBL 69.15.178.42
25-FEB-2006 03:33:01.89 CLNTINRBL 221.11.70.158
25-FEB-2006 07:48:03.99 NOSPAMRLY 125.188.63.10 gjwns_22@daum.net
25-FEB-2006 08:53:08.92 CLNTINRBL 24.21.221.220
25-FEB-2006 08:53:28.95 CLNTINRBL 81.190.159.87
25-FEB-2006 08:53:32.15 CLNTINRBL 71.197.50.2
25-FEB-2006 10:04:19.41 NOSPAMRLY 221.140.55.69 louisjin@netian.com
25-FEB-2006 19:24:07.82 CLNTINRBL 81.216.144.34
26-FEB-2006 00:04:00.69 CLNTINRBL 24.3.171.161
26-FEB-2006 00:04:08.67 CLNTINRBL 24.3.171.161
26-FEB-2006 00:04:15.28 CLNTINRBL 24.3.171.161
26-FEB-2006 01:31:33.40 CLNTINRBL 207.119.69.62
26-FEB-2006 03:40:51.72 NOSPAMRLY 211.222.179.253 louisjin@netian.com
26-FEB-2006 07:34:30.33 CLNTINRBL 195.136.246.2

If I update the list, this will be much larger since I get more and more spam. It's perhaps time to install SpamAssassin...

SYSMGR

Monday, February 27

27-Feb-2006

0 Comments:

SYSMGR

About Me

Previous Posts