hello: i am curious if anyone else is seeing an attempt by a user anonymous with a password of [EMAIL PROTECTED] to ftp into their system. i found the following snippits in the message log this morning. it sent up a red flag for me. i've immediately blocked access for ftp not originating from the internal lan.
the particular alarming part is the repetition of the command sequence used and the funky directory name that the attack attempted to create. i've emailed a message to [EMAIL PROTECTED] and [EMAIL PROTECTED] [EMAIL PROTECTED] has replied via automated reply. -------------- /var/log/messages ------------ Aug 2 21:32:19 mesozoic ftpd[18304]: USER anonymous Aug 2 21:32:20 mesozoic ftpd[18304]: PASS [EMAIL PROTECTED] Aug 2 21:32:20 mesozoic ftpd[18304]: ANONYMOUS FTP LOGIN FROM HSE-Sherbrooke-ppp79981.qc.sympatico.ca [64.229.254.170], [EMAIL PROTECTED] Aug 2 21:32:20 mesozoic ftpd[18304]: CWD /pub/ Aug 2 21:32:21 mesozoic ftpd[18304]: MKD 010804003731p Aug 2 21:32:21 mesozoic ftpd[18304]: anonymous([EMAIL PROTECTED]) of HSE-Sherbrooke-ppp79981.qc.sympatico.ca [64.229.254.170] tried to create directory /var/ftp/pub/010804003731p Aug 2 21:32:21 mesozoic ftpd[18304]: CWD /public/ Aug 2 21:32:22 mesozoic ftpd[18304]: CWD /pub/incoming/ Aug 2 21:32:22 mesozoic ftpd[18304]: CWD /incoming/ Aug 2 21:32:22 mesozoic ftpd[18304]: CWD /_vti_pvt/ Aug 2 21:32:23 mesozoic ftpd[18304]: CWD / Aug 2 21:32:23 mesozoic ftpd[18304]: MKD 010804003733p Aug 2 21:32:23 mesozoic ftpd[18304]: anonymous([EMAIL PROTECTED]) of HSE-Sherbrooke-ppp79981.qc.sympatico.ca [64.229.254.170] tried to create directory /var/ftp/010804003733p Aug 2 21:32:23 mesozoic ftpd[18304]: CWD /upload/ Aug 2 21:32:23 mesozoic ftpd[18304]: lost connection to HSE-Sherbrooke-ppp79981.qc.sympatico.ca [64.229.254.170] Aug 2 21:32:23 mesozoic ftpd[18304]: FTP session closed Aug 3 14:29:02 mesozoic ftpd[26656]: USER anonymous Aug 3 14:29:03 mesozoic ftpd[26656]: PASS [EMAIL PROTECTED] Aug 3 14:29:03 mesozoic ftpd[26656]: ANONYMOUS FTP LOGIN FROM ACB0A998.ipt.aol.com [172.176.169.152], [EMAIL PROTECTED] Aug 3 14:29:03 mesozoic ftpd[26656]: CWD /pub/ Aug 3 14:29:04 mesozoic ftpd[26656]: MKD 010803233322p Aug 3 14:29:04 mesozoic ftpd[26656]: anonymous([EMAIL PROTECTED]) of ACB0A998.ipt.aol.com [172.176.169.152] tried to create directory /var/ftp/pub/010803233322p Aug 3 14:29:04 mesozoic ftpd[26656]: CWD /public/ Aug 3 14:29:05 mesozoic ftpd[26656]: CWD /pub/incoming/ Aug 3 14:29:05 mesozoic ftpd[26656]: CWD /incoming/ Aug 3 14:29:06 mesozoic ftpd[26656]: CWD /_vti_pvt/ Aug 3 14:29:06 mesozoic ftpd[26656]: CWD / Aug 3 14:29:06 mesozoic ftpd[26656]: MKD 010803233324p Aug 3 14:29:06 mesozoic ftpd[26656]: anonymous([EMAIL PROTECTED]) of ACB0A998.ipt.aol.com [172.176.169.152] tried to create directory /var/ftp/010803233324p Aug 3 14:29:07 mesozoic ftpd[26656]: CWD /upload/ Aug 3 14:29:07 mesozoic ftpd[26656]: FTP session closed Aug 3 14:30:00 mesozoic CROND[26658]: (root) CMD ( /sbin/rmmod -as) Aug 4 07:15:37 mesozoic ftpd[30934]: USER anonymous Aug 4 07:15:38 mesozoic ftpd[30934]: PASS [EMAIL PROTECTED] Aug 4 07:15:38 mesozoic ftpd[30934]: ANONYMOUS FTP LOGIN FROM 199.44.93.188 [199.44.93.188], [EMAIL PROTECTED] Aug 4 07:15:38 mesozoic ftpd[30934]: CWD /pub/ Aug 4 07:15:38 mesozoic ftpd[30934]: MKD 010804102033p Aug 4 07:15:38 mesozoic ftpd[30934]: anonymous([EMAIL PROTECTED]) of 199.44.93.188 [199.44.93.188] tried to create directory /var/ftp/pub/010804102033p Aug 4 07:15:39 mesozoic ftpd[30934]: CWD /public/ Aug 4 07:15:39 mesozoic ftpd[30934]: CWD /pub/incoming/ Aug 4 07:15:39 mesozoic ftpd[30934]: CWD /incoming/ Aug 4 07:15:39 mesozoic ftpd[30934]: CWD /_vti_pvt/ Aug 4 07:15:39 mesozoic ftpd[30934]: CWD / Aug 4 07:15:40 mesozoic ftpd[30934]: MKD 010804102034p Aug 4 07:15:40 mesozoic ftpd[30934]: anonymous([EMAIL PROTECTED]) of 199.44.93.188 [199.44.93.188] tried to create directory /var/ftp/010804102034p Aug 4 07:15:40 mesozoic ftpd[30934]: CWD /upload/ Aug 4 07:15:40 mesozoic ftpd[30934]: FTP session closed -- regards, allen atoka-software
