[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: possible ftp attack attempt?
- To: <darren_spruell_(_at_)_sento_(_dot_)_com>, <misc_(_at_)_openbsd_(_dot_)_org>
- Subject: RE: possible ftp attack attempt?
- From: "Jyri Hovila" <jyri_(_dot_)_hovila_(_at_)_iki_(_dot_)_fi>
- Date: Sun, 30 Dec 2001 03:06:38 +0200
looks like someone is looking for a place to store and distribute warez,
probably using some automatic tool as directory creation and removal
happens so quickly -- there's only 1 second between commands. Warez
distributors use automatic tools to find FTP servers which allow
anonymous uploading and downloading. It doesn't matter whether your
server is advertised or not, eventually they will find it unless you
restrict access to it. They usually put their stuff in weirdly named
directories to make them harder for the sysadmin to find. Unless you
*really* need to have the /incoming directory, I suggest you remove it,
or at least restrict access to your server so that it's open only to
From: owner-misc_(_at_)_openbsd_(_dot_)_org [mailto:owner-misc_(_at_)_openbsd_(_dot_)_org] On Behalf
Of Darren Spruell
Sent: 30. joulukuuta 2001 0:29
Subject: possible ftp attack attempt?
Looking through my logs for the obsd ftpd daemon (obsd v. 2.9 stock) I
the following lines in my logs (/var/log/xferlog):
connection from xdsl-213-168-121-91.netcologne.de
Dec 25 23:43:50 Molodetz ftpd: ANONYMOUS FTP LOGIN FROM
Dec 25 23:43:52 Molodetz ftpd: mkdir pub/011226144240p
Dec 25 23:43:53 Molodetz ftpd: mkdir incoming/011226144241p
Dec 25 23:43:54 Molodetz ftpd: rmdir incoming/011226144241p
the attemt to mkdir in pub/ failed, of course... but I don't understand
what the purpose of these directories would be. my ftp server is not
advertised, so i imagine it was discovered during a port sweep, but I'd
like to know what everyone else thinks about it.
Sento IS Dep't
Visit your host, monkey.org