Security Incidents mailing list archives

RE: Strange FTP logs

From: "Jobe Bittman" <Jobe.Bittman () mitchell com>
Date: Mon, 1 Nov 2004 08:31:10 -0800
Rob-

You answered your own question. The only possibly answer is they sniffed
your password. If you are using FTP across the internet from untrusted
networks, it's not unlikely this will happen. If you must use FTP , use
it on your internal network only or use read-only accounts. From outside
world, use sftp or scp.


-----Original Message-----
From: Rob klein Gunnewiek [mailto:rob.kleingunnewiek () gmail com] 
Sent: Sunday, October 31, 2004 4:20 AM
To: incidents () securityfocus com
Subject: Strange FTP logs


Hello,

Awhile ago I checked my logs which i do now a lot more often than
before. Anyways I found very suspicious log-entries. I use pure-ftpd
which is rather secure and I had created an account "pgo" in about
februari 2004, which was used for my school project group to store
project documents. Now, i'm not new to security at all, I use very
strong passwords so I think we can easily rule out that "pgo"'s password
had been guessed (found no signs of brute-force in the logs aswell).

Well.. the pgo account wasn't used anymore since about a month and then
I saw that  there were logins from over 50 different IP addresses from
all over the world (logs are appended). I put alot of effort into
tracing them back, most were open proxies, some seem to be rather secure
hosts that didn't seem to be used as open proxies.

I first expected this to be just some warez group and that somehow
school computers were backdoored by someone of them, but the logs are
very strange. I kept the account open to see what they would do, but
they didn't come back.. although there was no reason they shouldn't.

I show you the log here and note the strange behavior these clients
make, removed many loglines that were less interesting as there are 304
loglines:

---
Oct  3 15:03:48 www pure-ftpd:
(?@AStrasbourg-106-1-6-77.w81-50.abo.wanadoo.fr) [INFO] pgo is now
logged in Oct  3 15:04:10 www pure-ftpd:
(pgo () AStrasbourg-106-1-6-77 w81-50 abo wanadoo fr) [INFO] Logout. Oct  3
15:04:13 www pure-ftpd:
(?@AStrasbourg-106-1-6-77.w81-50.abo.wanadoo.fr) [INFO] pgo is now
logged in Oct  3 15:04:39 www pure-ftpd:
(pgo () AStrasbourg-106-1-6-77 w81-50 abo wanadoo fr) [INFO] Logout. Oct  3
15:04:42 www pure-ftpd:
(?@AStrasbourg-106-1-6-77.w81-50.abo.wanadoo.fr) [INFO] pgo is now
logged in Oct  3 15:04:51 www pure-ftpd:
(pgo () AStrasbourg-106-1-6-77 w81-50 abo wanadoo fr) [INFO] Logout. Oct  3
15:05:15 www pure-ftpd:
(?@AStrasbourg-106-1-6-77.w81-50.abo.wanadoo.fr) [INFO] pgo is now
logged in Oct  3 15:05:37 www pure-ftpd:
(pgo () AStrasbourg-106-1-6-77 w81-50 abo wanadoo fr) [INFO] Logout.
----

The above IP continues to login and logout without uploading/downloading
anything

----
Oct  3 15:23:21 www pure-ftpd: (?@wc-142.r-195-85-157.essentkabel.com)
[INFO] pgo is now logged in
Oct  3 15:23:53 www pure-ftpd:
(pgo () wc-142 r-195-85-157 essentkabel com) [NOTICE]
/home/users/pgo/public_html//2004-2005/filelist.html downloaded  (4123
bytes, 2574.54KB/sec) Oct  3 15:26:02 www pure-ftpd:
(pgo () wc-142 r-195-85-157 essentkabel com) [NOTICE]
/home/users/pgo/public_html//cw.txt uploaded
  (211 bytes, 5.41KB/sec)
Oct  3 15:26:05 www pure-ftpd:
(pgo () wc-142 r-195-85-157 essentkabel com) [NOTICE] Deleted cw.txt Oct  3
15:29:03 www pure-ftpd:
(pgo () wc-142 r-195-85-157 essentkabel com) [INFO] Logout.
----

I tried to recover this cw.txt, but i failed here.. made an image with
dd and tried to find anything unusual, but no.. i think it's just to
check if he could write, that could explain the name "cw.txt" (check
writable?).

----
Oct  3 15:51:41 www pure-ftpd: (?@host43-91.pool8252.interbusiness.it)
[WARNING] Authentication failed for user [pgo]
Oct  3 15:52:04 www pure-ftpd: (?@host43-91.pool8252.interbusiness.it)
[INFO] pgo is now logged in
Oct  3 15:52:17 www pure-ftpd:
(pgo () host43-91 pool8252 interbusiness it) [INFO] Logout.
----

The above tells me this is not some automated program, cause it wouldn't
fail typing the right password..

----
Oct  3 15:52:28 www pure-ftpd: (?@host43-91.pool8252.interbusiness.it)
[INFO] pgo is now logged in
Oct  3 15:52:58 www pure-ftpd:
(pgo () host43-91 pool8252 interbusiness it) [INFO] Logout.
Oct  3 15:53:09 www pure-ftpd: (?@host43-91.pool8252.interbusiness.it)
[INFO] pgo is now logged in
Oct  3 15:53:11 www pure-ftpd:
(pgo () host43-91 pool8252 interbusiness it) [INFO] Logout.
Oct  3 15:53:24 www pure-ftpd: (?@host43-91.pool8252.interbusiness.it)
[INFO] pgo is now logged in
Oct  3 15:53:27 www pure-ftpd:
(pgo () host43-91 pool8252 interbusiness it) [INFO] Logout.
Oct  3 15:53:38 www pure-ftpd: (?@host43-91.pool8252.interbusiness.it)
[INFO] pgo is now logged in
Oct  3 15:55:29 www pure-ftpd:
(pgo () host43-91 pool8252 interbusiness it) [INFO] Logout.
----

The above ip continues logging in and out...

----
Oct  3 16:23:26 www pure-ftpd: (?@a81-84-79-26.netcabo.pt) [INFO] pgo is
now logged in Oct  3 16:24:50 www pure-ftpd:
(pgo () a81-84-79-26 netcabo pt) [INFO] Logout. Oct  3 16:44:09 www
pure-ftpd: (?@a81-84-79-26.netcabo.pt) [INFO] pgo is now logged in Oct
3 16:44:42 www pure-ftpd: (pgo () a81-84-79-26 netcabo pt) [NOTICE]
/home/users/pgo/public_html//phpBB-2.0.10.tar.bz2 downloaded  (453378
bytes, 22.65KB/sec) Oct  3 16:45:09 www pure-ftpd:
(pgo () a81-84-79-26 netcabo pt) [INFO] Can't change directory to .tmp: No
such file or directory Oct  3 16:45:12 www pure-ftpd:
(pgo () a81-84-79-26 netcabo pt) [INFO] Can't change directory to .tmp: No
such file or directory Oct  3 16:45:16 www pure-ftpd:
(pgo () a81-84-79-26 netcabo pt) [INFO] Can't change directory to 15:28: No
such file or directoryOct  3 16:45:19 www pure-ftpd:
(pgo () a81-84-79-26 netcabo pt) [INFO] Can't change directory to 15:28: No
such file or directory Oct  3 16:46:45 www pure-ftpd:
(pgo () a81-84-79-26 netcabo pt) [INFO] Logout.
----

The above i think is really strange.. could be some newbie having
trouble controlling an open proxy ofcourse... Btw.. the directories "
.tmp" and "   " were created before... nothing in there. What is also
strange is that ".tmp" you would use to hide it or something, why create
" .tmp"? Probably to make it ""hard"" to remove or something.. strange.

----
Oct  3 16:53:26 www pure-ftpd: (?@SHASTA081209.ig.com.br) [INFO] pgo is
now logged in Oct  3 16:56:23 www pure-ftpd:
(pgo () SHASTA081209 ig com br) [INFO] Logout. Oct  3 16:56:25 www
pure-ftpd: (?@SHASTA081209.ig.com.br) [INFO] pgo is now logged in Oct  3
16:56:26 www pure-ftpd: (pgo () SHASTA081209 ig com br) [INFO] Logout. Oct
3 16:57:52 www pure-ftpd: (?@SHASTA081209.ig.com.br) [INFO] pgo is now
logged in Oct  3 16:57:52 www pure-ftpd: (pgo () SHASTA081209 ig com br)
[INFO] Logout. Oct  3 17:05:36 www pure-ftpd: (?@161.139.66.1) [INFO]
pgo is now logged in Oct  3 17:22:15 www pure-ftpd: (pgo@161.139.66.1)
[INFO] Logout. Oct  3 17:42:52 www pure-ftpd:
(?@pD9FAD6AD.dip.t-dialin.net) [INFO] pgo is now logged in Oct  3
17:45:55 www pure-ftpd: (pgo () pD9FAD6AD dip t-dialin net) [INFO] Logout.
Oct  3 17:59:19 www pure-ftpd: (?@pD9FAD6AD.dip.t-dialin.net) [INFO] pgo
is now logged in Oct  3 17:59:28 www pure-ftpd:
(pgo () pD9FAD6AD dip t-dialin net) [INFO] Can't change directory to 15:28:
No such file or directory Oct  3 17:59:28 www pure-ftpd:
(pgo () pD9FAD6AD dip t-dialin net) [INFO] Can't change directory to 15:28:
No such file or directory Oct  3 17:59:28 www pure-ftpd:
(pgo () pD9FAD6AD dip t-dialin net) [INFO] Can't change directory to 15:28:
No such file or directory Oct  3 17:59:29 www pure-ftpd:
(pgo () pD9FAD6AD dip t-dialin net) [INFO] Can't change directory to 15:28:
No such file or directory Oct  3 17:59:29 www pure-ftpd:
(pgo () pD9FAD6AD dip t-dialin net) [INFO] Can't change directory to
/15:28: No such file or directory Oct  3 17:59:30 www pure-ftpd:
(pgo () pD9FAD6AD dip t-dialin net) [INFO] Can't change directory to
/15:28: No such file or directory Oct  3 17:59:39 www pure-ftpd:
(pgo () pD9FAD6AD dip t-dialin net) [INFO] Logout.
----

Again strange behavior.. probably typo's aswell

----
Oct  3 18:09:34 www pure-ftpd: (?@83.100.132.94) [INFO] pgo is now
logged in Oct  3 18:10:08 www pure-ftpd: (pgo@83.100.132.94) [INFO]
Logout. Oct  3 18:18:41 www pure-ftpd:
(?@ti400720a080-3071.bb.online.no)
[INFO] pgo is now logged in
Oct  3 18:21:02 www pure-ftpd: (pgo () ti400720a080-3071 bb online no)
[INFO] Logout.
Oct  3 18:31:11 www pure-ftpd: (?@tony04-58-98.inter.net.il) [INFO] pgo
is now logged in Oct  3 18:31:26 www pure-ftpd:
(pgo () tony04-58-98 inter net il) [NOTICE] Deleted phpBB-2.0.10.tar.bz2
----

How rude, deleting my board package! Wasn't used anymore anyway so.. It
continues...

----
Oct  3 18:31:29 www pure-ftpd: (pgo () tony04-58-98 inter net il) [INFO]
Can't change directory to .tmp: No such file or directory Oct  3
18:31:42 www pure-ftpd: (pgo () tony04-58-98 inter net il) [INFO] Transfer
aborted Oct  3 18:33:11 www pure-ftpd: (pgo () tony04-58-98 inter net il)
[INFO] Timeout (no new data for 900 seconds) Oct  3 18:33:15 www
pure-ftpd: (?@tony04-58-98.inter.net.il) [INFO] pgo is now logged in Oct
3 18:33:47 www pure-ftpd: (pgo () tony04-58-98 inter net il) [INFO] Logout.
----

----
Oct  3 18:35:09 www pure-ftpd: (?@rr3-c-31-1.lnet.lut.fi) [INFO] pgo is
now logged in Oct  3 18:35:16 www pure-ftpd:
(pgo () rr3-c-31-1 lnet lut fi) [INFO] Can't change directory to 15:28: No
such file or directory Oct  3 18:35:31 www pure-ftpd:
(?@UBR-cpe-1.nat-pool.nsad.sbb.co.yu)
[INFO] pgo is now logged in
Oct  3 18:35:44 www pure-ftpd: (pgo () UBR-cpe-1 nat-pool nsad sbb co yu)
[INFO] Can't change directory to .tmp: No such file ordirectory Oct  3
18:35:46 www pure-ftpd: (pgo () UBR-cpe-1 nat-pool nsad sbb co yu)
[INFO] Can't change directory to 15:28   : No such file or directory
Oct  3 18:35:49 www pure-ftpd: (pgo () rr3-c-31-1 lnet lut fi) [INFO]
Logout.
----

Well, I'll skip all those ".tmp" messages.. all these fools seem to miss
that it should be " .tmp". Maybe i should explain that this " .tmp" was
also created by these account crackers.

----
Oct  3 23:48:56 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
[WARNING] Authentication failed for user [pgo]
Oct  3 23:49:00 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
[WARNING] Authentication failed for user [pgo]
Oct  3 23:49:41 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
[WARNING] Authentication failed for user [pgo]
Oct  3 23:49:45 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
[WARNING] Authentication failed for user [pgo]
Oct  3 23:49:49 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
[WARNING] Authentication failed for user [pgo]
Oct  3 23:49:52 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
[WARNING] Authentication failed for user [pgo]
Oct  3 23:49:56 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
[WARNING] Authentication failed for user [pgo]
Oct  3 23:50:00 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
[WARNING] Authentication failed for user [pgo]
Oct  3 23:55:54 www pure-ftpd:
(?@host81-157-252-251.range81-157.btcentralplus.com) [INFO] pgo is now
logged in Oct  3 23:55:56 www pure-ftpd:
(pgo () host81-157-252-251 range81-157 btcentralplus com) [INFO] Can't
change directory to .tmp: No such file or directory Oct  3 23:56:16 www
pure-ftpd:
(pgo () host81-157-252-251 range81-157 btcentralplus com) [INFO] Logout.
----

Well, told yah; hard to type password..

----
Oct  4 00:58:06 www pure-ftpd: (?@213-132-213-18.adsl.nlhosting.nl)
[INFO] pgo is now logged in
Oct  4 00:58:14 www pure-ftpd: (pgo () 213-132-213-18 adsl nlhosting nl)
[INFO] Can't change directory to 15:28: No such file or directory Oct  4
00:58:53 www pure-ftpd: (pgo () 213-132-213-18 adsl nlhosting nl)
[INFO] Logout.
----

The above doesn't look like an open proxy to me.. strange.

----
Oct  4 01:20:02 www pure-ftpd: (?@pD9EB995F.dip0.t-ipconnect.de) [INFO]
pgo is now logged in Oct  4 01:20:03 www pure-ftpd:
(pgo () pD9EB995F dip0 t-ipconnect de)
[INFO] Can't change directory to / 21: No such file or directory Oct  4
01:20:06 www pure-ftpd: (pgo () pD9EB995F dip0 t-ipconnect de)
[INFO] Can't change directory to .tmp: No such file or directory
----

The above goes on trying to fetch '.tmp' .. fails. But this time you see
directory "/ 21" weird..

----
Oct  4 14:35:17 www pure-ftpd: (?@p50812301.dip0.t-ipconnect.de) [INFO]
pgo is now logged in Oct  4 14:35:22 www pure-ftpd:
(pgo () p50812301 dip0 t-ipconnect de)
[INFO] Can't change directory to ./.tmp. / /: No such file or directory
Oct  4 14:36:44 www pure-ftpd: (pgo () p50812301 dip0 t-ipconnect de)
[INFO] Logout.
----

So, i think it's very strange. I don't understand how they get the
password of this account which really is hard (8 chars, randum letters
and numbers). They could have sniffed it ofcourse but why login from
somany ip addresses and do absolutely nothing? I still have this account
working, it's about 2 weeks ago when i found out.. i want to find out
the purpose and cause and who did this. Any ideas?

-- 
Rob klein Gunnewiek
Current thread:

Strange FTP logs Rob klein Gunnewiek (Nov 01)
- Re: Strange FTP logs Andrew Smith (Nov 01)
- Re: Strange FTP logs xyberpix (Nov 01)
- <Possible follow-ups>
- RE: Strange FTP logs Jobe Bittman (Nov 01)
- RE: Strange FTP logs JP Garcia (Nov 01)
  - Re: Strange FTP logs Valdis . Kletnieks (Nov 01)
- Re: Strange FTP logs Yuri Gushin (Nov 02)