[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: possible ftp attack attempt?



Darren,

looks like someone is looking for a place to store and distribute warez,
probably using some automatic tool as directory creation and removal
happens so quickly -- there's only 1 second between commands. Warez
distributors use automatic tools to find FTP servers which allow
anonymous uploading and downloading. It doesn't matter whether your
server is advertised or not, eventually they will find it unless you
restrict access to it. They usually put their stuff in weirdly named
directories to make them harder for the sysadmin to find. Unless you
*really* need to have the /incoming directory, I suggest you remove it,
or at least restrict access to your server so that it's open only to
legitimate users.

Yours,

Jyri

-----Original Message-----
From: owner-misc_(_at_)_openbsd_(_dot_)_org [mailto:owner-misc_(_at_)_openbsd_(_dot_)_org] On Behalf
Of Darren Spruell
Sent: 30. joulukuuta 2001 0:29
To: misc_(_at_)_openbsd_(_dot_)_org
Subject: possible ftp attack attempt?


Greetz all,
Looking through my logs for the obsd ftpd daemon (obsd v. 2.9 stock) I
find
the following lines in my logs (/var/log/xferlog):

connection from xdsl-213-168-121-91.netcologne.de
Dec 25 23:43:50 Molodetz ftpd[1631]: ANONYMOUS FTP LOGIN FROM
xdsl-213-168-
121-91.netcologne.de, Zgpuser_(_at_)_home_(_dot_)_com
Dec 25 23:43:52 Molodetz ftpd[1631]: mkdir pub/011226144240p
Dec 25 23:43:53 Molodetz ftpd[1631]: mkdir incoming/011226144241p
Dec 25 23:43:54 Molodetz ftpd[1631]: rmdir incoming/011226144241p

the attemt to mkdir in pub/ failed, of course... but I don't understand
what the purpose of these directories would be.  my ftp server is not
advertised, so i imagine it was discovered during a port sweep, but I'd
like to know what everyone else thinks about it.
-- 
Darren Spruell
Sento IS Dep't
darren_spruell_(_at_)_sento_(_dot_)_com



Visit your host, monkey.org