Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: what does this tell me?

  1. #1
    Junior Member
    Join Date
    Nov 2001
    Posts
    5

    Question what does this tell me?

    from the FTP log

    #Software: Microsoft Internet Information Services 5.0
    #Version: 1.0
    #Date: 2001-12-03 09:52:12
    #Fields: time c-ip cs-method cs-uri-stem sc-status
    09:52:12 64.156.38.144 [43]USER anonymous 331
    09:52:12 64.156.38.144 [43]PASS guest@here.com 230
    09:52:12 64.156.38.144 [43]MKD 970404032810p 550
    09:52:16 64.156.38.144 [43]MKD 970404032813p 550
    09:52:16 64.156.38.144 [43]MKD 970404032813p 550
    09:52:16 64.156.38.144 [43]MKD 970404032814p 550
    09:52:19 64.156.38.144 [43]MKD 970404032816p 550
    09:52:19 64.156.38.144 [43]MKD 970404032817p 550
    09:52:22 64.156.38.144 [43]MKD 970404032819p 550

    also been getting lots of Igduser@home.com attempts

    Thanks all.

    tomjoad

  2. #2
    Isn't MKD the make directory command? maybe I'm out of my mind. What is it you're looking for in the log? Did something go wrong?
    A buttered piece of bread always lands butter side down;
    A cat always lands on its feet;
    A cat with a buttered piece of bread strapped to its back hovers feet above the ground in a state of quantum indecision

  3. #3
    Junior Member
    Join Date
    Nov 2001
    Posts
    5
    that's what i've been told. The IP address is not my server, but is an IP address of a communicaitons frim. I've been told once that it's someone spoofing that IP and trying to use my server for storage - but i'm looking for a second opinion or for verification ~ I have another log from the webserver to post also that I have no idea about.


  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    681
    mkd is the command for make directory. i don't know why someone would connect to you to do that. unless they are testing your security. i mean it is possible they are trying to use u for storage... but that would be dumb since it would be a noticeable trend (hard disk space disappearing) i don't know if it is someone spoofing the ip either. if they were good enough to do that.... they would be doing more then the mkd command i think. that ip is actually the ip of a dial in port of that server.... so it appears someone is dialing in to that server and then coming to get your server.....

  5. #5
    Junior Member
    Join Date
    Nov 2001
    Posts
    5
    thanks for the insight lord_darkside_x

    why would someone from a traceable IP address be testing my security? Is that illegal? I've posted this log to that company and told them if it's them to cut the crap, but i've not heard anything.

    nothing in today's log.

  6. #6
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164

    Talking

    Why are they using a traceable IP? Because they're m@d h@xX0rs with k1ll1nG Sk1llz0Rs! Chances are, you've got some
    kid who's either A: dumb as a brick for using his parents dialup ISP (because he's too COOL to get caught), or B: using someone else's 56k bandwidth. I've never heard of any dialup account that had a static IP so that tells me that it's DHCP-assigned which tags an account (by login) with an IP for a dedicated amount of time (who knows?), although 56k tells me you're not doing much. Too bad you can't forcefeed TextQuake to his terminal! And yes, you could have his ISP shut down his account if you file a complaint about it. I have a linux server at my house and when CodeRed came out, my box underwent over 4000 attempts to install/abuse the CodeRed IIS cmd.exe. So what did I do? I went through and with a leetle-itty-bitty shell script, I canned all tcp/udp traffic with ipchains on individual rule numbers. Pro: half the planet stopped trying to fuxor my box. Con: ipchains -L takes about 10 minutes to report everything, haha...
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  7. #7
    It might have been some skript kiddie who got a spoofing proggie and wanted to try to use it. Many novices and skript kiddies try MKD as soon as they get anon access, as if they expect they will one day be able to make a directory, then he can brag to all of his friends about how he "hacked" some dork who set admin access to the guest access privs. Err.
    A buttered piece of bread always lands butter side down;
    A cat always lands on its feet;
    A cat with a buttered piece of bread strapped to its back hovers feet above the ground in a state of quantum indecision

  8. #8
    Junior Member
    Join Date
    Nov 2001
    Posts
    5
    hey how did you know i was a dork!

    thanks everyone - i'll absorb what i can and get back to lurking.

  9. #9
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    One thing you can do is tell us what you're running (or want to run) and we can give you a checklist of things to watch out for, disable, etc...I know these guys who're posting a lot know a lot of links (as opposed to me). I just happen to know common practice techniques (HEY HAXOR WANNABES, imagine that..I work with the stuff everyday and I learn about it and what do you know, I learned what to do/not do to break it!). Give a pm if you want more info or just post on here...
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    that ip address is a pointer to "dialup-64.156.38.144.Dial1.Denver1.Level3.net"
    if you want to report it:
    level Communications (is this the one you meant)
    they are assigned Netblock: 64.152.0.0 - 64.159.255.255, looks like an isp
    +1 (877) 453-8353
    they can look up who that account was assigned to on that date and time. but they didn't do anything against the law, anonymous is public access.

    as for Igduser@home.com if they have different addresses then its in a script someone wrote.

    you gotta stop allowing anonymous access.
    and as long as you allow it its not against the law for anyone to use it.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •