-
what does this tell me?
from the FTP log
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2001-12-03 09:52:12
#Fields: time c-ip cs-method cs-uri-stem sc-status
09:52:12 64.156.38.144 [43]USER anonymous 331
09:52:12 64.156.38.144 [43]PASS guest@here.com 230
09:52:12 64.156.38.144 [43]MKD 970404032810p 550
09:52:16 64.156.38.144 [43]MKD 970404032813p 550
09:52:16 64.156.38.144 [43]MKD 970404032813p 550
09:52:16 64.156.38.144 [43]MKD 970404032814p 550
09:52:19 64.156.38.144 [43]MKD 970404032816p 550
09:52:19 64.156.38.144 [43]MKD 970404032817p 550
09:52:22 64.156.38.144 [43]MKD 970404032819p 550
also been getting lots of Igduser@home.com attempts
Thanks all.
tomjoad
-
Isn't MKD the make directory command? maybe I'm out of my mind. What is it you're looking for in the log? Did something go wrong?
-
that's what i've been told. The IP address is not my server, but is an IP address of a communicaitons frim. I've been told once that it's someone spoofing that IP and trying to use my server for storage - but i'm looking for a second opinion or for verification ~ I have another log from the webserver to post also that I have no idea about.
:confused:
-
mkd is the command for make directory. i don't know why someone would connect to you to do that. unless they are testing your security. i mean it is possible they are trying to use u for storage... but that would be dumb since it would be a noticeable trend (hard disk space disappearing) i don't know if it is someone spoofing the ip either. if they were good enough to do that.... they would be doing more then the mkd command i think. that ip is actually the ip of a dial in port of that server.... so it appears someone is dialing in to that server and then coming to get your server.....
-
thanks for the insight lord_darkside_x
why would someone from a traceable IP address be testing my security? Is that illegal? I've posted this log to that company and told them if it's them to cut the crap, but i've not heard anything.
nothing in today's log.
-
Why are they using a traceable IP? Because they're m@d h@xX0rs with k1ll1nG Sk1llz0Rs! Chances are, you've got some
kid who's either A: dumb as a brick for using his parents dialup ISP (because he's too COOL to get caught), or B: using someone else's 56k bandwidth. I've never heard of any dialup account that had a static IP so that tells me that it's DHCP-assigned which tags an account (by login) with an IP for a dedicated amount of time (who knows?), although 56k tells me you're not doing much. Too bad you can't forcefeed TextQuake to his terminal! And yes, you could have his ISP shut down his account if you file a complaint about it. I have a linux server at my house and when CodeRed came out, my box underwent over 4000 attempts to install/abuse the CodeRed IIS cmd.exe. So what did I do? I went through and with a leetle-itty-bitty shell script, I canned all tcp/udp traffic with ipchains on individual rule numbers. Pro: half the planet stopped trying to fuxor my box. Con: ipchains -L takes about 10 minutes to report everything, haha...
-
It might have been some skript kiddie who got a spoofing proggie and wanted to try to use it. Many novices and skript kiddies try MKD as soon as they get anon access, as if they expect they will one day be able to make a directory, then he can brag to all of his friends about how he "hacked" some dork who set admin access to the guest access privs. Err.
-
hey how did you know i was a dork! ;)
thanks everyone - i'll absorb what i can and get back to lurking.
-
One thing you can do is tell us what you're running (or want to run) and we can give you a checklist of things to watch out for, disable, etc...I know these guys who're posting a lot know a lot of links (as opposed to me). I just happen to know common practice techniques (HEY HAXOR WANNABES, imagine that..I work with the stuff everyday and I learn about it and what do you know, I learned what to do/not do to break it!). Give a pm if you want more info or just post on here...
-
that ip address is a pointer to "dialup-64.156.38.144.Dial1.Denver1.Level3.net"
if you want to report it:
level Communications (is this the one you meant)
they are assigned Netblock: 64.152.0.0 - 64.159.255.255, looks like an isp
+1 (877) 453-8353
they can look up who that account was assigned to on that date and time. but they didn't do anything against the law, anonymous is public access.
as for Igduser@home.com if they have different addresses then its in a script someone wrote.
you gotta stop allowing anonymous access.
and as long as you allow it its not against the law for anyone to use it.