Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Strange FTP logs

from [xyberpix] Network Security [Permanent Link]
Subject: Re: Strange FTP logs
Date: Mon, 01 Nov 2004 20:04:35 +0000 
Hi Rob,

What OS version and version of Pure-FTP are you using, and have you
checked for any other signs of entry? There may have been a
vulnerability in one of them, and it may have lead to some other system
compromise? I don't mean to alarm you at all, but it's worth digging
around on Bugtraq.

xyberpix


On Sun, 2004-10-31 at 12:20, Rob klein Gunnewiek wrote:

Hello,

Awhile ago I checked my logs which i do now a lot more often than
before. Anyways I found very suspicious log-entries. I use pure-ftpd
which is rather secure and I had created an account "pgo" in about
februari 2004, which was used for my school project group to store
project documents. Now, i'm not new to security at all, I use very
strong passwords so I think we can easily rule out that "pgo"'s
password had been guessed (found no signs of brute-force in the logs
aswell).

Well.. the pgo account wasn't used anymore since about a month and
then I saw that  there were logins from over 50 different IP addresses
from all over the world (logs are appended). I put alot of effort into
tracing them back, most were open proxies, some seem to be rather
secure hosts that didn't seem to be used as open proxies.

I first expected this to be just some warez group and that somehow
school computers were backdoored by someone of them, but the logs are
very strange. I kept the account open to see what they would do, but
they didn't come back.. although there was no reason they shouldn't.

I show you the log here and note the strange behavior these clients
make, removed many loglines that were less interesting as there are
304 loglines:

---
Oct  3 15:03:48 www pure-ftpd:
(?@AStrasbourg-106-1-6-77.w81-50.abo.wanadoo.fr) [INFO] pgo is now
logged in
Oct  3 15:04:10 www pure-ftpd:
(pgo@AStrasbourg-106-1-6-77.w81-50.abo.wanadoo.fr) [INFO] Logout.
Oct  3 15:04:13 www pure-ftpd:
(?@AStrasbourg-106-1-6-77.w81-50.abo.wanadoo.fr) [INFO] pgo is now
logged in
Oct  3 15:04:39 www pure-ftpd:
(pgo@AStrasbourg-106-1-6-77.w81-50.abo.wanadoo.fr) [INFO] Logout.
Oct  3 15:04:42 www pure-ftpd:
(?@AStrasbourg-106-1-6-77.w81-50.abo.wanadoo.fr) [INFO] pgo is now
logged in
Oct  3 15:04:51 www pure-ftpd:
(pgo@AStrasbourg-106-1-6-77.w81-50.abo.wanadoo.fr) [INFO] Logout.
Oct  3 15:05:15 www pure-ftpd:
(?@AStrasbourg-106-1-6-77.w81-50.abo.wanadoo.fr) [INFO] pgo is now
logged in
Oct  3 15:05:37 www pure-ftpd:
(pgo@AStrasbourg-106-1-6-77.w81-50.abo.wanadoo.fr) [INFO] Logout.
----

The above IP continues to login and logout without
uploading/downloading anything

----
Oct  3 15:23:21 www pure-ftpd: (?@wc-142.r-195-85-157.essentkabel.com)
[INFO] pgo is now logged in
Oct  3 15:23:53 www pure-ftpd:
(pgo@wc-142.r-195-85-157.essentkabel.com) [NOTICE]
/home/users/pgo/public_html//2004-2005/filelist.html downloaded  (4123
bytes, 2574.54KB/sec)
Oct  3 15:26:02 www pure-ftpd:
(pgo@wc-142.r-195-85-157.essentkabel.com) [NOTICE]
/home/users/pgo/public_html//cw.txt uploaded
  (211 bytes, 5.41KB/sec)
Oct  3 15:26:05 www pure-ftpd:
(pgo@wc-142.r-195-85-157.essentkabel.com) [NOTICE] Deleted cw.txt
Oct  3 15:29:03 www pure-ftpd:
(pgo@wc-142.r-195-85-157.essentkabel.com) [INFO] Logout.
----

I tried to recover this cw.txt, but i failed here.. made an image with
dd and tried to find anything unusual, but no.. i think it's just to
check if he could write, that could explain the name "cw.txt" (check
writable?).

----
Oct  3 15:51:41 www pure-ftpd: (?@host43-91.pool8252.interbusiness.it)
[WARNING] Authentication failed for user [pgo]
Oct  3 15:52:04 www pure-ftpd: (?@host43-91.pool8252.interbusiness.it)
[INFO] pgo is now logged in
Oct  3 15:52:17 www pure-ftpd:
(pgo@host43-91.pool8252.interbusiness.it) [INFO] Logout.
----

The above tells me this is not some automated program, cause it
wouldn't fail typing the right password..

----
Oct  3 15:52:28 www pure-ftpd: (?@host43-91.pool8252.interbusiness.it)
[INFO] pgo is now logged in
Oct  3 15:52:58 www pure-ftpd:
(pgo@host43-91.pool8252.interbusiness.it) [INFO] Logout.
Oct  3 15:53:09 www pure-ftpd: (?@host43-91.pool8252.interbusiness.it)
[INFO] pgo is now logged in
Oct  3 15:53:11 www pure-ftpd:
(pgo@host43-91.pool8252.interbusiness.it) [INFO] Logout.
Oct  3 15:53:24 www pure-ftpd: (?@host43-91.pool8252.interbusiness.it)
[INFO] pgo is now logged in
Oct  3 15:53:27 www pure-ftpd:
(pgo@host43-91.pool8252.interbusiness.it) [INFO] Logout.
Oct  3 15:53:38 www pure-ftpd: (?@host43-91.pool8252.interbusiness.it)
[INFO] pgo is now logged in
Oct  3 15:55:29 www pure-ftpd:
(pgo@host43-91.pool8252.interbusiness.it) [INFO] Logout.
----

The above ip continues logging in and out...

----
Oct  3 16:23:26 www pure-ftpd: (?@a81-84-79-26.netcabo.pt) [INFO] pgo
is now logged in
Oct  3 16:24:50 www pure-ftpd: (pgo@a81-84-79-26.netcabo.pt) [INFO] Logout.
Oct  3 16:44:09 www pure-ftpd: (?@a81-84-79-26.netcabo.pt) [INFO] pgo
is now logged in
Oct  3 16:44:42 www pure-ftpd: (pgo@a81-84-79-26.netcabo.pt) [NOTICE]
/home/users/pgo/public_html//phpBB-2.0.10.tar.bz2 downloaded  (453378
bytes, 22.65KB/sec)
Oct  3 16:45:09 www pure-ftpd: (pgo@a81-84-79-26.netcabo.pt) [INFO]
Can't change directory to .tmp: No such file or directory
Oct  3 16:45:12 www pure-ftpd: (pgo@a81-84-79-26.netcabo.pt) [INFO]
Can't change directory to .tmp: No such file or directory
Oct  3 16:45:16 www pure-ftpd: (pgo@a81-84-79-26.netcabo.pt) [INFO]
Can't change directory to 15:28: No such file or directoryOct  3
16:45:19 www pure-ftpd: (pgo@a81-84-79-26.netcabo.pt) [INFO] Can't
change directory to 15:28: No such file or directory
Oct  3 16:46:45 www pure-ftpd: (pgo@a81-84-79-26.netcabo.pt) [INFO] Logout.
----

The above i think is really strange.. could be some newbie having
trouble controlling an open proxy ofcourse... Btw.. the directories "
.tmp" and "   " were created before... nothing in there. What is also
strange is that ".tmp" you would use to hide it or something, why
create " .tmp"? Probably to make it ""hard"" to remove or something..
strange.

----
Oct  3 16:53:26 www pure-ftpd: (?@SHASTA081209.ig.com.br) [INFO] pgo
is now logged in
Oct  3 16:56:23 www pure-ftpd: (pgo@SHASTA081209.ig.com.br) [INFO] Logout.
Oct  3 16:56:25 www pure-ftpd: (?@SHASTA081209.ig.com.br) [INFO] pgo
is now logged in
Oct  3 16:56:26 www pure-ftpd: (pgo@SHASTA081209.ig.com.br) [INFO] Logout.
Oct  3 16:57:52 www pure-ftpd: (?@SHASTA081209.ig.com.br) [INFO] pgo
is now logged in
Oct  3 16:57:52 www pure-ftpd: (pgo@SHASTA081209.ig.com.br) [INFO] Logout.
Oct  3 17:05:36 www pure-ftpd: (?@161.139.66.1) [INFO] pgo is now logged in
Oct  3 17:22:15 www pure-ftpd: (pgo@161.139.66.1) [INFO] Logout.
Oct  3 17:42:52 www pure-ftpd: (?@pD9FAD6AD.dip.t-dialin.net) [INFO]
pgo is now logged in
Oct  3 17:45:55 www pure-ftpd: (pgo@pD9FAD6AD.dip.t-dialin.net) [INFO] Logout.
Oct  3 17:59:19 www pure-ftpd: (?@pD9FAD6AD.dip.t-dialin.net) [INFO]
pgo is now logged in
Oct  3 17:59:28 www pure-ftpd: (pgo@pD9FAD6AD.dip.t-dialin.net) [INFO]
Can't change directory to 15:28: No such file or directory
Oct  3 17:59:28 www pure-ftpd: (pgo@pD9FAD6AD.dip.t-dialin.net) [INFO]
Can't change directory to 15:28: No such file or directory
Oct  3 17:59:28 www pure-ftpd: (pgo@pD9FAD6AD.dip.t-dialin.net) [INFO]
Can't change directory to 15:28: No such file or directory
Oct  3 17:59:29 www pure-ftpd: (pgo@pD9FAD6AD.dip.t-dialin.net) [INFO]
Can't change directory to 15:28: No such file or directory
Oct  3 17:59:29 www pure-ftpd: (pgo@pD9FAD6AD.dip.t-dialin.net) [INFO]
Can't change directory to /15:28: No such file or directory
Oct  3 17:59:30 www pure-ftpd: (pgo@pD9FAD6AD.dip.t-dialin.net) [INFO]
Can't change directory to /15:28: No such file or directory
Oct  3 17:59:39 www pure-ftpd: (pgo@pD9FAD6AD.dip.t-dialin.net) [INFO] Logout.
----

Again strange behavior.. probably typo's aswell

----
Oct  3 18:09:34 www pure-ftpd: (?@83.100.132.94) [INFO] pgo is now logged in
Oct  3 18:10:08 www pure-ftpd: (pgo@83.100.132.94) [INFO] Logout.
Oct  3 18:18:41 www pure-ftpd: (?@ti400720a080-3071.bb.online.no)
[INFO] pgo is now logged in
Oct  3 18:21:02 www pure-ftpd: (pgo@ti400720a080-3071.bb.online.no)
[INFO] Logout.
Oct  3 18:31:11 www pure-ftpd: (?@tony04-58-98.inter.net.il) [INFO]
pgo is now logged in
Oct  3 18:31:26 www pure-ftpd: (pgo@tony04-58-98.inter.net.il)
[NOTICE] Deleted phpBB-2.0.10.tar.bz2
----

How rude, deleting my board package! Wasn't used anymore anyway so..
It continues...

----
Oct  3 18:31:29 www pure-ftpd: (pgo@tony04-58-98.inter.net.il) [INFO]
Can't change directory to .tmp: No such file or directory
Oct  3 18:31:42 www pure-ftpd: (pgo@tony04-58-98.inter.net.il) [INFO]
Transfer aborted
Oct  3 18:33:11 www pure-ftpd: (pgo@tony04-58-98.inter.net.il) [INFO]
Timeout (no new data for 900 seconds)
Oct  3 18:33:15 www pure-ftpd: (?@tony04-58-98.inter.net.il) [INFO]
pgo is now logged in
Oct  3 18:33:47 www pure-ftpd: (pgo@tony04-58-98.inter.net.il) [INFO] Logout.
----

----
Oct  3 18:35:09 www pure-ftpd: (?@rr3-c-31-1.lnet.lut.fi) [INFO] pgo
is now logged in
Oct  3 18:35:16 www pure-ftpd: (pgo@rr3-c-31-1.lnet.lut.fi) [INFO]
Can't change directory to 15:28: No such file or directory
Oct  3 18:35:31 www pure-ftpd: (?@UBR-cpe-1.nat-pool.nsad.sbb.co.yu)
[INFO] pgo is now logged in
Oct  3 18:35:44 www pure-ftpd: (pgo@UBR-cpe-1.nat-pool.nsad.sbb.co.yu)
[INFO] Can't change directory to .tmp: No such file ordirectory
Oct  3 18:35:46 www pure-ftpd: (pgo@UBR-cpe-1.nat-pool.nsad.sbb.co.yu)
[INFO] Can't change directory to 15:28   : No such file or directory
Oct  3 18:35:49 www pure-ftpd: (pgo@rr3-c-31-1.lnet.lut.fi) [INFO] Logout.
----

Well, I'll skip all those ".tmp" messages.. all these fools seem to
miss that it should be " .tmp". Maybe i should explain that this "
.tmp" was also created by these account crackers.

----
Oct  3 23:48:56 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
[WARNING] Authentication failed for user [pgo]
Oct  3 23:49:00 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
[WARNING] Authentication failed for user [pgo]
Oct  3 23:49:41 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
[WARNING] Authentication failed for user [pgo]
Oct  3 23:49:45 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
[WARNING] Authentication failed for user [pgo]
Oct  3 23:49:49 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
[WARNING] Authentication failed for user [pgo]
Oct  3 23:49:52 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
[WARNING] Authentication failed for user [pgo]
Oct  3 23:49:56 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
[WARNING] Authentication failed for user [pgo]
Oct  3 23:50:00 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
[WARNING] Authentication failed for user [pgo]
Oct  3 23:55:54 www pure-ftpd:
(?@host81-157-252-251.range81-157.btcentralplus.com) [INFO] pgo is now
logged in
Oct  3 23:55:56 www pure-ftpd:
(pgo@host81-157-252-251.range81-157.btcentralplus.com) [INFO] Can't
change directory to .tmp: No such file or directory
Oct  3 23:56:16 www pure-ftpd:
(pgo@host81-157-252-251.range81-157.btcentralplus.com) [INFO] Logout.
----

Well, told yah; hard to type password..

----
Oct  4 00:58:06 www pure-ftpd: (?@213-132-213-18.adsl.nlhosting.nl)
[INFO] pgo is now logged in
Oct  4 00:58:14 www pure-ftpd: (pgo@213-132-213-18.adsl.nlhosting.nl)
[INFO] Can't change directory to 15:28: No such file or
directory
Oct  4 00:58:53 www pure-ftpd: (pgo@213-132-213-18.adsl.nlhosting.nl)
[INFO] Logout.
----

The above doesn't look like an open proxy to me.. strange.

----
Oct  4 01:20:02 www pure-ftpd: (?@pD9EB995F.dip0.t-ipconnect.de)
[INFO] pgo is now logged in
Oct  4 01:20:03 www pure-ftpd: (pgo@pD9EB995F.dip0.t-ipconnect.de)
[INFO] Can't change directory to / 21: No such file or directory
Oct  4 01:20:06 www pure-ftpd: (pgo@pD9EB995F.dip0.t-ipconnect.de)
[INFO] Can't change directory to .tmp: No such file or directory
----

The above goes on trying to fetch '.tmp' .. fails. But this time you
see directory "/ 21" weird..

----
Oct  4 14:35:17 www pure-ftpd: (?@p50812301.dip0.t-ipconnect.de)
[INFO] pgo is now logged in
Oct  4 14:35:22 www pure-ftpd: (pgo@p50812301.dip0.t-ipconnect.de)
[INFO] Can't change directory to ./.tmp. / /: No such file or
directory
Oct  4 14:36:44 www pure-ftpd: (pgo@p50812301.dip0.t-ipconnect.de)
[INFO] Logout.
----

So, i think it's very strange. I don't understand how they get the
password of this account which really is hard (8 chars, randum letters
and numbers). They could have sniffed it ofcourse but why login from
somany ip addresses and do absolutely nothing? I still have this
account working, it's about 2 weeks ago when i found out.. i want to
find out the purpose and cause and who did this. Any ideas?

-- 
For Security and Open Source news:
http://xyberpix.demon.co.uk

Attachment: signature.asc
Description: This is a digitally signed message part

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Security Issues with Wake on Lan (WOL), Valdis . Kletnieks
Next by Date:  Re: Strange FTP logs, Yuri Gushin
Previous by Thread:  Re: Strange FTP logs, Andrew Smith
Next by Thread:  RE: Strange FTP logs, Jobe Bittman
Indexes:  [Date] [Thread] [Top] [All Lists]