Weird FTP Attempts Log File
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Weird FTP Attempts Log File

  1. #1
    Senior Member
    Join Date
    Aug 2001
    Posts
    356

    Weird FTP Attempts Log File

    Hi All,

    Today I checked the FTP log file for my web site, and I was surprised to find a lot of attempts to login to my site's FTP. A lot of the attempts were anonymous attempts, but some were strange login names. I'm wondering why people were trying to login with these names. This FTP is exclusive to me, and it has not been given out to anyone, so it is obviously someone or some group of people trying to attempt unauthorized access. I did some research on the IP Addresses the attempts were coming from, and to my surprise they are from China. So I have come to the conclusion that this could be three things.

    1) Someone who has the wrong IP Address (mine) for their FTP.
    2) Someone from China trying to get into my system
    3) Someone using a proxy in China to get into my system.

    Can anyone shed some light on why these strange user names are being tried? Names such as:

    upload
    spring
    lovelord
    lahu@263.net
    oldbird
    snly
    Qgpuser@home.com
    suyly2003@hotmail.com
    upada

    I'm not really paranoid about someone getting in. I'm just wondering what is up with the weird names they try to log in with. Maybe there are some vulnerabilities for some OS's that use those login names, or maybe vulnerabilities for some FTP servers out there that use those names. I don't know. Any ideas?

    Here is a copy of the Log File:

    #Software: Microsoft Internet Information Services 5.0
    #Version: 1.0
    #Date: 2002-06-27 02:19:34
    #Fields: time c-ip cs-method cs-uri-stem sc-status
    02:19:34 61.171.97.103 [446]USER spring 331
    02:19:34 61.171.97.103 [446]PASS - 530
    02:19:34 61.171.97.103 [446]QUIT - 530
    02:21:36 61.171.97.103 [447]USER spring 331
    02:21:36 61.171.97.103 [447]PASS - 530
    02:21:38 61.171.97.103 [447]QUIT - 530
    02:23:42 61.171.97.103 [448]USER spring 331
    02:23:42 61.171.97.103 [448]PASS - 530
    02:23:44 61.171.97.103 [448]QUIT - 530
    02:25:45 61.171.97.103 [449]USER spring 331
    02:25:45 61.171.97.103 [449]PASS - 530
    02:25:45 61.171.97.103 [449]QUIT - 530
    02:27:48 61.171.97.103 [450]USER spring 331
    02:27:48 61.171.97.103 [450]PASS - 530
    02:27:49 61.171.97.103 [450]QUIT - 530
    02:29:51 61.171.97.103 [451]USER spring 331
    02:29:51 61.171.97.103 [451]PASS - 530
    02:29:51 61.171.97.103 [451]QUIT - 530
    02:31:53 61.171.97.103 [452]USER spring 331
    02:31:53 61.171.97.103 [452]PASS - 530
    02:31:53 61.171.97.103 [452]QUIT - 530
    02:33:55 61.171.97.103 [453]USER spring 331
    02:33:55 61.171.97.103 [453]PASS - 530
    02:33:55 61.171.97.103 [453]QUIT - 530
    02:35:57 61.171.97.103 [454]USER spring 331
    02:35:57 61.171.97.103 [454]PASS - 530
    02:35:57 61.171.97.103 [454]QUIT - 530
    02:38:00 61.171.97.103 [455]USER spring 331
    02:38:00 61.171.97.103 [455]PASS - 530
    02:38:00 61.171.97.103 [455]QUIT - 530
    02:40:02 61.171.97.103 [456]USER spring 331
    02:40:02 61.171.97.103 [456]PASS - 530
    02:40:02 61.171.97.103 [456]QUIT - 530
    02:59:23 61.149.33.149 [457]USER anonymous 331
    02:59:24 61.149.33.149 [457]PASS IEUser@ 530
    02:59:27 61.149.33.149 [458]USER anonymous 331
    02:59:28 61.149.33.149 [458]PASS IEUser@ 530
    02:59:44 61.149.33.149 [459]USER anonymous 331
    02:59:44 61.149.33.149 [459]PASS IEUser@ 530
    02:59:55 61.149.33.149 [460]USER lovelord 331
    02:59:56 61.149.33.149 [460]PASS - 530
    03:07:11 211.97.182.129 [461]USER anonymous 331
    03:07:11 211.97.182.129 [461]PASS lahu@263.net 530
    03:07:15 211.97.182.129 [462]USER anonymous 331
    03:07:15 211.97.182.129 [462]PASS lahu@263.net 530
    03:07:24 211.97.182.129 [463]USER anonymous 331
    03:07:28 211.97.182.129 [463]PASS lahu@263.net 530
    03:07:40 211.97.182.129 [464]USER anonymous 331
    03:07:40 211.97.182.129 [464]PASS lahu@263.net 530
    03:08:04 211.97.182.129 [465]USER oldbird 331
    03:08:04 211.97.182.129 [465]PASS - 530
    03:08:14 211.97.182.129 [466]USER anonymous 331
    03:08:14 211.97.182.129 [466]PASS lahu@263.net 530
    03:08:37 211.97.182.129 [467]USER oldbird 331
    03:08:37 211.97.182.129 [467]PASS - 530
    03:09:01 61.149.33.149 [468]USER anonymous 331
    03:09:02 61.149.33.149 [468]PASS IEUser@ 530
    03:09:13 61.149.33.149 [469]USER upload 331
    03:09:15 61.149.33.149 [469]PASS - 530
    03:09:32 61.149.33.149 [470]USER upload 331
    03:09:34 61.149.33.149 [470]PASS - 530
    03:23:08 210.72.53.2 [471]USER anonymous 331
    03:23:11 210.72.53.2 [471]PASS proxy@ 530
    03:58:10 61.171.63.105 [472]USER anonymous 331
    03:58:10 61.171.63.105 [472]PASS guest@ 530
    03:58:35 61.171.63.105 [473]USER anonymous 331
    03:58:35 61.171.63.105 [473]PASS guest@ 530
    03:58:44 61.171.63.105 [473]USER spring163 331
    03:58:55 61.171.63.105 [474]USER anonymous 331
    03:58:55 61.171.63.105 [474]PASS guest@ 530
    03:59:01 61.171.63.105 [474]USER spring 331
    03:59:05 61.171.63.105 [474]PASS - 530
    03:59:11 61.171.63.105 [474]USER spring 331
    03:59:14 61.171.63.105 [474]PASS - 530
    04:22:44 211.91.4.165 [475]USER anonymous 331
    04:22:44 211.91.4.165 [475]PASS anonymous@on.the.net 530
    04:22:53 211.91.4.165 [476]USER anonymous 331
    04:22:53 211.91.4.165 [476]PASS anonymous@on.the.net 530
    04:23:02 211.91.4.165 [477]USER anonymous 331
    04:23:02 211.91.4.165 [477]PASS anonymous@on.the.net 530
    04:23:09 211.91.4.165 [478]USER anonymous 331
    04:23:09 211.91.4.165 [478]PASS anonymous@on.the.net 530
    04:23:30 211.91.4.165 [479]USER anonymous 331
    04:23:30 211.91.4.165 [479]PASS anonymous@on.the.net 530
    04:25:33 211.91.4.165 [480]USER anonymous 331
    04:25:34 211.91.4.165 [480]PASS anonymous@on.the.net 530
    04:27:37 211.91.4.165 [481]USER anonymous 331
    04:27:37 211.91.4.165 [481]PASS anonymous@on.the.net 530
    05:41:28 211.161.58.206 [482]USER anonymous 331
    05:41:28 211.161.58.206 [482]PASS IEUser@ 530
    05:41:31 211.161.58.206 [483]USER anonymous 331
    05:41:31 211.161.58.206 [483]PASS IEUser@ 530
    07:05:00 218.242.34.41 [484]USER anonymous 331
    08:48:40 218.66.52.74 [486]USER anonymous 331
    08:48:40 218.66.52.74 [486]PASS guest@ 530
    08:48:51 218.66.52.74 [486]USER anonymous 331
    08:48:51 218.66.52.74 [486]PASS anonymous 530
    08:48:59 218.66.52.74 [486]USER snly 331
    08:48:59 218.66.52.74 [486]PASS - 530
    09:54:39 203.93.166.130 [488]USER anonymous 331
    09:54:40 203.93.166.130 [488]PASS IEUser@ 530
    09:54:44 203.93.166.130 [489]USER anonymous 331
    09:54:44 203.93.166.130 [489]PASS IEUser@ 530
    09:55:00 203.93.166.130 [490]USER anonymous 331
    09:55:00 203.93.166.130 [490]PASS IEUser@ 530
    11:45:42 80.136.138.179 [491]USER anonymous 331
    11:45:42 80.136.138.179 [491]PASS Qgpuser@home.com 530
    13:42:44 211.162.52.234 [493]USER anonymous 331
    13:42:45 211.162.52.234 [493]PASS guest@ 530
    14:18:24 211.144.73.202 [494]USER spring 331
    14:18:25 211.144.73.202 [494]PASS - 530
    14:18:26 211.144.73.202 [494]QUIT - 530
    14:19:11 211.144.73.202 [495]USER spring 331
    14:19:12 211.144.73.202 [495]PASS - 530
    14:19:14 211.144.73.202 [495]QUIT - 530
    14:33:35 210.52.26.158 [496]USER anonymous 331
    14:33:35 210.52.26.158 [496]PASS suyly2003@hotmail.com 530
    14:33:38 210.52.26.158 [497]USER anonymous 331
    14:33:38 210.52.26.158 [497]PASS suyly2003@hotmail.com 530
    15:38:59 218.70.48.106 [498]USER anonymous 331
    15:38:59 218.70.48.106 [498]PASS IEUser@ 530
    15:39:02 218.70.48.106 [499]USER anonymous 331
    15:39:02 218.70.48.106 [499]PASS IEUser@ 530
    16:19:05 61.152.210.129 [500]USER anonymous 331
    16:19:06 61.152.210.129 [500]PASS guest@ 530
    16:19:26 61.152.210.129 [500]USER upada 331
    16:23:23 61.152.210.129 [501]USER upload 331
    16:23:23 61.152.210.129 [501]PASS - 530
    16:23:33 61.152.210.129 [501]USER upload 331
    16:23:46 61.152.210.129 [501]PASS - 530
    16:23:58 61.152.210.129 [501]USER upload 331
    16:47:45 61.152.210.129 [502]USER upload 331
    16:47:45 61.152.210.129 [502]PASS - 530
    16:52:21 218.29.128.102 [503]USER anonymous 331
    16:52:21 218.29.128.102 [503]PASS IEUser@ 530
    16:52:24 218.29.128.102 [504]USER anonymous 331
    16:52:24 218.29.128.102 [504]PASS IEUser@ 530
    16:57:05 165.254.123.17 [505]USER anonymous 331
    16:57:05 165.254.123.17 [505]PASS anonymous@on.the.net 530
    16:58:59 165.254.123.17 [506]USER anonymous 331
    16:58:59 165.254.123.17 [506]PASS IEUser@ 530
    17:07:06 61.152.210.129 [507]USER anonymous 331
    17:07:06 61.152.210.129 [507]PASS guest@ 530
    17:07:26 61.152.210.129 [507]USER upload 331
    17:07:35 61.152.210.129 [507]PASS - 530
    17:10:38 61.152.210.129 [508]USER anonymous 331
    17:10:38 61.152.210.129 [508]PASS guest@ 530
    17:11:33 61.152.210.129 [509]USER anonymous 331
    17:11:33 61.152.210.129 [509]PASS guest@ 530
    17:20:53 202.99.168.202 [510]USER anonymous 331
    17:20:53 202.99.168.202 [510]PASS anonymous@on.the.net 530
    17:20:55 202.99.168.202 [510]QUIT - 530
    17:22:58 202.99.168.202 [511]USER anonymous 331
    17:22:58 202.99.168.202 [511]PASS anonymous@on.the.net 530
    17:22:59 202.99.168.202 [511]QUIT - 530
    17:27:12 210.83.20.99 [512]USER anonymous 331
    17:27:12 210.83.20.99 [512]PASS guest@ 530
    17:30:03 210.83.20.99 [512]USER anonymous 331
    17:30:03 210.83.20.99 [512]PASS spring163 530
    17:30:20 210.83.20.99 [512]USER anonymous 331
    17:30:20 210.83.20.99 [512]PASS anonymous 530
    19:28:59 202.102.190.174 [513]USER anonymous 331
    19:28:59 202.102.190.174 [513]PASS guest@ 530
    20:41:17 61.185.250.158 [514]USER anonymous 331
    20:41:17 61.185.250.158 [514]PASS IEUser@ 530
    20:41:19 61.185.250.158 [515]USER anonymous 331
    20:41:19 61.185.250.158 [515]PASS IEUser@ 530
    20:44:13 218.66.54.244 [516]USER upload 331
    20:44:14 218.66.54.244 [516]PASS - 530
    20:44:21 218.66.54.244 [516]USER upload 331
    20:44:22 218.66.54.244 [516]PASS - 530
    21:19:45 218.108.114.25 [520]USER anonymous 331
    21:19:45 218.108.114.25 [520]PASS IEUser@ 530
    21:19:47 218.108.114.25 [521]USER anonymous 331
    21:19:47 218.108.114.25 [521]PASS IEUser@ 530
    21:20:04 218.108.114.25 [522]USER guest 331
    21:20:04 218.108.114.25 [522]PASS - 530
    21:20:12 218.108.114.25 [523]USER anonymous 331
    21:20:12 218.108.114.25 [523]PASS IEUser@ 530
    An Ounce of Prevention is Worth a Pound of Cure...
     

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    The log file looks to me like people are out there looking for an anonymous FTP server...

    The most obvious reason why they would be looking at your server, especially if it has anonymous enabled, is to turn it into a WAREZ site...It could be possible that someone somwhere has posted your site as 'tagged' on the WAREZ lists...

    Just a thought...

    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Senior Member
    Join Date
    Aug 2001
    Posts
    356
    Originally posted here by nebulus200
    The log file looks to me like people are out there looking for an anonymous FTP server...

    The most obvious reason why they would be looking at your server, especially if it has anonymous enabled, is to turn it into a WAREZ site...It could be possible that someone somwhere has posted your site as 'tagged' on the WAREZ lists...
    Hmm... I'm not sure what you mean by tagged. Is that meaning that someone might have found something and listed my site as vulnerable?
    An Ounce of Prevention is Worth a Pound of Cure...
     

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Not vulnerable, just means that someone has found it is possible to upload files and has uploaded whatever program they were wanting to spread around and then advertised it as such...

    Just have a look under your FTP root for odd named directories/files, look for 'tagged by' etc, if that happened, you will see alot of directories that end in spaces (very hard to see from windows). Do you have anonymous FTP turned on ?
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Junior Member
    Join Date
    Jun 2002
    Posts
    2
    Ok I am new in this forum does anybody know how I can post a new msg? I have view the main page of antionline.com but still couldn't find a place to post a new topic messages.

    Any help will be greatly appreciated. Thanks
    ************************
    To hack or not to hack, that is the question ...

    Julius Cracker

    ************************

  6. #6
    Senior Member
    Join Date
    Sep 2001
    Posts
    800
    go to disscusion forums on the main page. then select the forum that is closest to your question. At the top of the topics there should be a button that says post new thread.


    700 posts woohoo.
    [gloworange]\"A hacker is someone who has a passion for technology, someone who is possessed by a desire to figure out how things work.\" [/gloworange]

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Location
    Ireland
    Posts
    735
    Does the IEUser@ bit mean that they entered "ftp://<site>" in the Internet Explorer navigation bar?
    I wouldn't worry too much, unless they were trying to DoS you, this method of attack is hardly a threat...

  8. #8
    Banned
    Join Date
    Oct 2001
    Posts
    263
    i think that if someone were trying to bruitforce in there would be more random characters passwords and if ther were trying a dictionary attack they would be more sequential, if they know who you are they could be trying a specified password list of likely passwords..... do any of these passwords mean anything to you?

    also the hotmail email address....... alot of FTP servers ask for a valid email address as a password for any kind of guest account....... might wanna try that email address given to you. and to hope that hotmail dosnt filter it out with its nice little filters.....

    id say that you have no problem unless it does contiue. it also looks like there on a standard dialup connection cause the connection would be faster if they had a faster connection...... so if you start getting over 20-30 atempts per minute, id say that IF this is actualy someone trying to get in, its probly just a lamer trying out what he read in some 20 year old text file

    jethro > yes, most likely

  9. #9
    Senior Member
    Join Date
    Aug 2001
    Posts
    356
    Yea, I'm not worried, just curious to why all of a sudden all these FTP attempts have started. I started blocking the IP Addresses, just because I'm tired of seeing all the login attempts. I double checked all my web sites that I host and made sure that anonymous access is disabled. Which actually brings up another question that maybe someone could help me out with. When you create a new FTP in IIS on Windows 2000 Server anonymous access is automatically enabled. Figures....

    Does anyone know if there is a registry hack or a setting that will stop that from being automatically enabled? I don't want to take the chance of forgetting to disable it when adding new FTPs.

    Originally posted here by LoggOff
    i think that if someone were trying to bruitforce in there would be more random characters passwords and if ther were trying a dictionary attack they would be more sequential, if they know who you are they could be trying a specified password list of likely passwords..... do any of these passwords mean anything to you?

    also the hotmail email address....... alot of FTP servers ask for a valid email address as a password for any kind of guest account....... might wanna try that email address given to you. and to hope that hotmail dosnt filter it out with its nice little filters.....

    id say that you have no problem unless it does contiue. it also looks like there on a standard dialup connection cause the connection would be faster if they had a faster connection...... so if you start getting over 20-30 atempts per minute, id say that IF this is actualy someone trying to get in, its probly just a lamer trying out what he read in some 20 year old text file

    jethro > yes, most likely
    Thanks... The words they are trying mean nothing to me, and like you said the attempts aren't coming in 30 at a time so it doesn't look like it is a brute force type thing. That confuses me even more though. I mean why the hell would someone try the user name: "spring" for absolutely no reason. Very strange.

    Also... There are so many anonymous access attempts from so many different IP addresses. I am wondering where these people are getting my IP from. I thought that maybe they are just running scanners that try anonymous access on a whole IP block, but none of my other FTPs on the same block are showing any anonymous attempts.
    An Ounce of Prevention is Worth a Pound of Cure...
    &nbsp;

  10. #10
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    As for the weird usernames, you have me on that one.

    If you had the anonymous FTP on for a while, you probably drew the attention of a few WAREZ folks, as more and more people hit it and find it is no longer there anymore and is invalid, the number of those attempts will eventually go down to 0...

    Any time you setup a service, ESPECIALLY a micro$oft one (because they love to do very insecure things by default), you should have a set of procedures that you go through to ensure that the configuration is as safe and tight as you can make it. It is something that you should get into the practice of, otherwise things could be alot worse than they were this time... It won't garuntee that you aren't hacked, but it will sure as hell make it more difficult...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides