-
June 28th, 2002, 04:25 PM
#1
Weird FTP Attempts Log File
Hi All,
Today I checked the FTP log file for my web site, and I was surprised to find a lot of attempts to login to my site's FTP. A lot of the attempts were anonymous attempts, but some were strange login names. I'm wondering why people were trying to login with these names. This FTP is exclusive to me, and it has not been given out to anyone, so it is obviously someone or some group of people trying to attempt unauthorized access. I did some research on the IP Addresses the attempts were coming from, and to my surprise they are from China. So I have come to the conclusion that this could be three things.
1) Someone who has the wrong IP Address (mine) for their FTP.
2) Someone from China trying to get into my system
3) Someone using a proxy in China to get into my system.
Can anyone shed some light on why these strange user names are being tried? Names such as:
upload
spring
lovelord
lahu@263.net
oldbird
snly
Qgpuser@home.com
suyly2003@hotmail.com
upada
I'm not really paranoid about someone getting in. I'm just wondering what is up with the weird names they try to log in with. Maybe there are some vulnerabilities for some OS's that use those login names, or maybe vulnerabilities for some FTP servers out there that use those names. I don't know. Any ideas?
Here is a copy of the Log File:
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2002-06-27 02:19:34
#Fields: time c-ip cs-method cs-uri-stem sc-status
02:19:34 61.171.97.103 [446]USER spring 331
02:19:34 61.171.97.103 [446]PASS - 530
02:19:34 61.171.97.103 [446]QUIT - 530
02:21:36 61.171.97.103 [447]USER spring 331
02:21:36 61.171.97.103 [447]PASS - 530
02:21:38 61.171.97.103 [447]QUIT - 530
02:23:42 61.171.97.103 [448]USER spring 331
02:23:42 61.171.97.103 [448]PASS - 530
02:23:44 61.171.97.103 [448]QUIT - 530
02:25:45 61.171.97.103 [449]USER spring 331
02:25:45 61.171.97.103 [449]PASS - 530
02:25:45 61.171.97.103 [449]QUIT - 530
02:27:48 61.171.97.103 [450]USER spring 331
02:27:48 61.171.97.103 [450]PASS - 530
02:27:49 61.171.97.103 [450]QUIT - 530
02:29:51 61.171.97.103 [451]USER spring 331
02:29:51 61.171.97.103 [451]PASS - 530
02:29:51 61.171.97.103 [451]QUIT - 530
02:31:53 61.171.97.103 [452]USER spring 331
02:31:53 61.171.97.103 [452]PASS - 530
02:31:53 61.171.97.103 [452]QUIT - 530
02:33:55 61.171.97.103 [453]USER spring 331
02:33:55 61.171.97.103 [453]PASS - 530
02:33:55 61.171.97.103 [453]QUIT - 530
02:35:57 61.171.97.103 [454]USER spring 331
02:35:57 61.171.97.103 [454]PASS - 530
02:35:57 61.171.97.103 [454]QUIT - 530
02:38:00 61.171.97.103 [455]USER spring 331
02:38:00 61.171.97.103 [455]PASS - 530
02:38:00 61.171.97.103 [455]QUIT - 530
02:40:02 61.171.97.103 [456]USER spring 331
02:40:02 61.171.97.103 [456]PASS - 530
02:40:02 61.171.97.103 [456]QUIT - 530
02:59:23 61.149.33.149 [457]USER anonymous 331
02:59:24 61.149.33.149 [457]PASS IEUser@ 530
02:59:27 61.149.33.149 [458]USER anonymous 331
02:59:28 61.149.33.149 [458]PASS IEUser@ 530
02:59:44 61.149.33.149 [459]USER anonymous 331
02:59:44 61.149.33.149 [459]PASS IEUser@ 530
02:59:55 61.149.33.149 [460]USER lovelord 331
02:59:56 61.149.33.149 [460]PASS - 530
03:07:11 211.97.182.129 [461]USER anonymous 331
03:07:11 211.97.182.129 [461]PASS lahu@263.net 530
03:07:15 211.97.182.129 [462]USER anonymous 331
03:07:15 211.97.182.129 [462]PASS lahu@263.net 530
03:07:24 211.97.182.129 [463]USER anonymous 331
03:07:28 211.97.182.129 [463]PASS lahu@263.net 530
03:07:40 211.97.182.129 [464]USER anonymous 331
03:07:40 211.97.182.129 [464]PASS lahu@263.net 530
03:08:04 211.97.182.129 [465]USER oldbird 331
03:08:04 211.97.182.129 [465]PASS - 530
03:08:14 211.97.182.129 [466]USER anonymous 331
03:08:14 211.97.182.129 [466]PASS lahu@263.net 530
03:08:37 211.97.182.129 [467]USER oldbird 331
03:08:37 211.97.182.129 [467]PASS - 530
03:09:01 61.149.33.149 [468]USER anonymous 331
03:09:02 61.149.33.149 [468]PASS IEUser@ 530
03:09:13 61.149.33.149 [469]USER upload 331
03:09:15 61.149.33.149 [469]PASS - 530
03:09:32 61.149.33.149 [470]USER upload 331
03:09:34 61.149.33.149 [470]PASS - 530
03:23:08 210.72.53.2 [471]USER anonymous 331
03:23:11 210.72.53.2 [471]PASS proxy@ 530
03:58:10 61.171.63.105 [472]USER anonymous 331
03:58:10 61.171.63.105 [472]PASS guest@ 530
03:58:35 61.171.63.105 [473]USER anonymous 331
03:58:35 61.171.63.105 [473]PASS guest@ 530
03:58:44 61.171.63.105 [473]USER spring163 331
03:58:55 61.171.63.105 [474]USER anonymous 331
03:58:55 61.171.63.105 [474]PASS guest@ 530
03:59:01 61.171.63.105 [474]USER spring 331
03:59:05 61.171.63.105 [474]PASS - 530
03:59:11 61.171.63.105 [474]USER spring 331
03:59:14 61.171.63.105 [474]PASS - 530
04:22:44 211.91.4.165 [475]USER anonymous 331
04:22:44 211.91.4.165 [475]PASS anonymous@on.the.net 530
04:22:53 211.91.4.165 [476]USER anonymous 331
04:22:53 211.91.4.165 [476]PASS anonymous@on.the.net 530
04:23:02 211.91.4.165 [477]USER anonymous 331
04:23:02 211.91.4.165 [477]PASS anonymous@on.the.net 530
04:23:09 211.91.4.165 [478]USER anonymous 331
04:23:09 211.91.4.165 [478]PASS anonymous@on.the.net 530
04:23:30 211.91.4.165 [479]USER anonymous 331
04:23:30 211.91.4.165 [479]PASS anonymous@on.the.net 530
04:25:33 211.91.4.165 [480]USER anonymous 331
04:25:34 211.91.4.165 [480]PASS anonymous@on.the.net 530
04:27:37 211.91.4.165 [481]USER anonymous 331
04:27:37 211.91.4.165 [481]PASS anonymous@on.the.net 530
05:41:28 211.161.58.206 [482]USER anonymous 331
05:41:28 211.161.58.206 [482]PASS IEUser@ 530
05:41:31 211.161.58.206 [483]USER anonymous 331
05:41:31 211.161.58.206 [483]PASS IEUser@ 530
07:05:00 218.242.34.41 [484]USER anonymous 331
08:48:40 218.66.52.74 [486]USER anonymous 331
08:48:40 218.66.52.74 [486]PASS guest@ 530
08:48:51 218.66.52.74 [486]USER anonymous 331
08:48:51 218.66.52.74 [486]PASS anonymous 530
08:48:59 218.66.52.74 [486]USER snly 331
08:48:59 218.66.52.74 [486]PASS - 530
09:54:39 203.93.166.130 [488]USER anonymous 331
09:54:40 203.93.166.130 [488]PASS IEUser@ 530
09:54:44 203.93.166.130 [489]USER anonymous 331
09:54:44 203.93.166.130 [489]PASS IEUser@ 530
09:55:00 203.93.166.130 [490]USER anonymous 331
09:55:00 203.93.166.130 [490]PASS IEUser@ 530
11:45:42 80.136.138.179 [491]USER anonymous 331
11:45:42 80.136.138.179 [491]PASS Qgpuser@home.com 530
13:42:44 211.162.52.234 [493]USER anonymous 331
13:42:45 211.162.52.234 [493]PASS guest@ 530
14:18:24 211.144.73.202 [494]USER spring 331
14:18:25 211.144.73.202 [494]PASS - 530
14:18:26 211.144.73.202 [494]QUIT - 530
14:19:11 211.144.73.202 [495]USER spring 331
14:19:12 211.144.73.202 [495]PASS - 530
14:19:14 211.144.73.202 [495]QUIT - 530
14:33:35 210.52.26.158 [496]USER anonymous 331
14:33:35 210.52.26.158 [496]PASS suyly2003@hotmail.com 530
14:33:38 210.52.26.158 [497]USER anonymous 331
14:33:38 210.52.26.158 [497]PASS suyly2003@hotmail.com 530
15:38:59 218.70.48.106 [498]USER anonymous 331
15:38:59 218.70.48.106 [498]PASS IEUser@ 530
15:39:02 218.70.48.106 [499]USER anonymous 331
15:39:02 218.70.48.106 [499]PASS IEUser@ 530
16:19:05 61.152.210.129 [500]USER anonymous 331
16:19:06 61.152.210.129 [500]PASS guest@ 530
16:19:26 61.152.210.129 [500]USER upada 331
16:23:23 61.152.210.129 [501]USER upload 331
16:23:23 61.152.210.129 [501]PASS - 530
16:23:33 61.152.210.129 [501]USER upload 331
16:23:46 61.152.210.129 [501]PASS - 530
16:23:58 61.152.210.129 [501]USER upload 331
16:47:45 61.152.210.129 [502]USER upload 331
16:47:45 61.152.210.129 [502]PASS - 530
16:52:21 218.29.128.102 [503]USER anonymous 331
16:52:21 218.29.128.102 [503]PASS IEUser@ 530
16:52:24 218.29.128.102 [504]USER anonymous 331
16:52:24 218.29.128.102 [504]PASS IEUser@ 530
16:57:05 165.254.123.17 [505]USER anonymous 331
16:57:05 165.254.123.17 [505]PASS anonymous@on.the.net 530
16:58:59 165.254.123.17 [506]USER anonymous 331
16:58:59 165.254.123.17 [506]PASS IEUser@ 530
17:07:06 61.152.210.129 [507]USER anonymous 331
17:07:06 61.152.210.129 [507]PASS guest@ 530
17:07:26 61.152.210.129 [507]USER upload 331
17:07:35 61.152.210.129 [507]PASS - 530
17:10:38 61.152.210.129 [508]USER anonymous 331
17:10:38 61.152.210.129 [508]PASS guest@ 530
17:11:33 61.152.210.129 [509]USER anonymous 331
17:11:33 61.152.210.129 [509]PASS guest@ 530
17:20:53 202.99.168.202 [510]USER anonymous 331
17:20:53 202.99.168.202 [510]PASS anonymous@on.the.net 530
17:20:55 202.99.168.202 [510]QUIT - 530
17:22:58 202.99.168.202 [511]USER anonymous 331
17:22:58 202.99.168.202 [511]PASS anonymous@on.the.net 530
17:22:59 202.99.168.202 [511]QUIT - 530
17:27:12 210.83.20.99 [512]USER anonymous 331
17:27:12 210.83.20.99 [512]PASS guest@ 530
17:30:03 210.83.20.99 [512]USER anonymous 331
17:30:03 210.83.20.99 [512]PASS spring163 530
17:30:20 210.83.20.99 [512]USER anonymous 331
17:30:20 210.83.20.99 [512]PASS anonymous 530
19:28:59 202.102.190.174 [513]USER anonymous 331
19:28:59 202.102.190.174 [513]PASS guest@ 530
20:41:17 61.185.250.158 [514]USER anonymous 331
20:41:17 61.185.250.158 [514]PASS IEUser@ 530
20:41:19 61.185.250.158 [515]USER anonymous 331
20:41:19 61.185.250.158 [515]PASS IEUser@ 530
20:44:13 218.66.54.244 [516]USER upload 331
20:44:14 218.66.54.244 [516]PASS - 530
20:44:21 218.66.54.244 [516]USER upload 331
20:44:22 218.66.54.244 [516]PASS - 530
21:19:45 218.108.114.25 [520]USER anonymous 331
21:19:45 218.108.114.25 [520]PASS IEUser@ 530
21:19:47 218.108.114.25 [521]USER anonymous 331
21:19:47 218.108.114.25 [521]PASS IEUser@ 530
21:20:04 218.108.114.25 [522]USER guest 331
21:20:04 218.108.114.25 [522]PASS - 530
21:20:12 218.108.114.25 [523]USER anonymous 331
21:20:12 218.108.114.25 [523]PASS IEUser@ 530
An Ounce of Prevention is Worth a Pound of Cure...
-
June 28th, 2002, 04:30 PM
#2
The log file looks to me like people are out there looking for an anonymous FTP server...
The most obvious reason why they would be looking at your server, especially if it has anonymous enabled, is to turn it into a WAREZ site...It could be possible that someone somwhere has posted your site as 'tagged' on the WAREZ lists...
Just a thought...
Neb
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
June 28th, 2002, 04:32 PM
#3
Originally posted here by nebulus200
The log file looks to me like people are out there looking for an anonymous FTP server...
The most obvious reason why they would be looking at your server, especially if it has anonymous enabled, is to turn it into a WAREZ site...It could be possible that someone somwhere has posted your site as 'tagged' on the WAREZ lists...
Hmm... I'm not sure what you mean by tagged. Is that meaning that someone might have found something and listed my site as vulnerable?
An Ounce of Prevention is Worth a Pound of Cure...
-
June 28th, 2002, 04:41 PM
#4
Not vulnerable, just means that someone has found it is possible to upload files and has uploaded whatever program they were wanting to spread around and then advertised it as such...
Just have a look under your FTP root for odd named directories/files, look for 'tagged by' etc, if that happened, you will see alot of directories that end in spaces (very hard to see from windows). Do you have anonymous FTP turned on ?
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
June 28th, 2002, 04:49 PM
#5
Junior Member
Ok I am new in this forum does anybody know how I can post a new msg? I have view the main page of antionline.com but still couldn't find a place to post a new topic messages.
Any help will be greatly appreciated. Thanks
************************
To hack or not to hack, that is the question ...
Julius Cracker
************************
-
June 28th, 2002, 06:20 PM
#6
go to disscusion forums on the main page. then select the forum that is closest to your question. At the top of the topics there should be a button that says post new thread.
700 posts woohoo.
[gloworange]\"A hacker is someone who has a passion for technology, someone who is possessed by a desire to figure out how things work.\" [/gloworange]
-
June 28th, 2002, 06:36 PM
#7
Does the IEUser@ bit mean that they entered "ftp://<site>" in the Internet Explorer navigation bar?
I wouldn't worry too much, unless they were trying to DoS you, this method of attack is hardly a threat...
-
June 28th, 2002, 06:48 PM
#8
Banned
i think that if someone were trying to bruitforce in there would be more random characters passwords and if ther were trying a dictionary attack they would be more sequential, if they know who you are they could be trying a specified password list of likely passwords..... do any of these passwords mean anything to you?
also the hotmail email address....... alot of FTP servers ask for a valid email address as a password for any kind of guest account....... might wanna try that email address given to you. and to hope that hotmail dosnt filter it out with its nice little filters.....
id say that you have no problem unless it does contiue. it also looks like there on a standard dialup connection cause the connection would be faster if they had a faster connection...... so if you start getting over 20-30 atempts per minute, id say that IF this is actualy someone trying to get in, its probly just a lamer trying out what he read in some 20 year old text file
jethro > yes, most likely
-
June 28th, 2002, 07:02 PM
#9
Yea, I'm not worried, just curious to why all of a sudden all these FTP attempts have started. I started blocking the IP Addresses, just because I'm tired of seeing all the login attempts. I double checked all my web sites that I host and made sure that anonymous access is disabled. Which actually brings up another question that maybe someone could help me out with. When you create a new FTP in IIS on Windows 2000 Server anonymous access is automatically enabled. Figures....
Does anyone know if there is a registry hack or a setting that will stop that from being automatically enabled? I don't want to take the chance of forgetting to disable it when adding new FTPs.
Originally posted here by LoggOff
i think that if someone were trying to bruitforce in there would be more random characters passwords and if ther were trying a dictionary attack they would be more sequential, if they know who you are they could be trying a specified password list of likely passwords..... do any of these passwords mean anything to you?
also the hotmail email address....... alot of FTP servers ask for a valid email address as a password for any kind of guest account....... might wanna try that email address given to you. and to hope that hotmail dosnt filter it out with its nice little filters.....
id say that you have no problem unless it does contiue. it also looks like there on a standard dialup connection cause the connection would be faster if they had a faster connection...... so if you start getting over 20-30 atempts per minute, id say that IF this is actualy someone trying to get in, its probly just a lamer trying out what he read in some 20 year old text file
jethro > yes, most likely
Thanks... The words they are trying mean nothing to me, and like you said the attempts aren't coming in 30 at a time so it doesn't look like it is a brute force type thing. That confuses me even more though. I mean why the hell would someone try the user name: "spring" for absolutely no reason. Very strange.
Also... There are so many anonymous access attempts from so many different IP addresses. I am wondering where these people are getting my IP from. I thought that maybe they are just running scanners that try anonymous access on a whole IP block, but none of my other FTPs on the same block are showing any anonymous attempts.
An Ounce of Prevention is Worth a Pound of Cure...
-
June 28th, 2002, 07:20 PM
#10
As for the weird usernames, you have me on that one.
If you had the anonymous FTP on for a while, you probably drew the attention of a few WAREZ folks, as more and more people hit it and find it is no longer there anymore and is invalid, the number of those attempts will eventually go down to 0...
Any time you setup a service, ESPECIALLY a micro$oft one (because they love to do very insecure things by default), you should have a set of procedures that you go through to ensure that the configuration is as safe and tight as you can make it. It is something that you should get into the practice of, otherwise things could be alot worse than they were this time... It won't garuntee that you aren't hacked, but it will sure as hell make it more difficult...
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|