Re: Strange FTP logs

[Yuri Gushin <yuri () eclipse org il>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello,

This one is easy, it's a group of warez distributors, somehow gained
access to your account, the whole thing with " .tmp", "    ", and
other "weird" directories is that this is the method of warez fillers
to try and hide content from the administrator, the wrong password &
failed CD entries tell us that the warez-group is really new to the
scene, and displays poor communication skills between the group members.

What they tried doing is "pubbing" your server, they checked whether
they could upload files to it, created the directories, all in attempt
to upload warez content into your server and making it public, thus
"pubbing", so others could leech stuff from your server. - all the
"weird" traffic is just the members having a go at the server, trying
things, poking around.

After the failed attempts of changing directories the newbie warez
crew seemed to have given up, which explains why they didn't come
back, hope this demystifies the log  :)

Regards,
~    Yuri.




Rob klein Gunnewiek wrote:

|Hello,
|
|Awhile ago I checked my logs which i do now a lot more often than
|before. Anyways I found very suspicious log-entries. I use pure-ftpd
|which is rather secure and I had created an account "pgo" in about
|februari 2004, which was used for my school project group to store
|project documents. Now, i'm not new to security at all, I use very
|strong passwords so I think we can easily rule out that "pgo"'s
|password had been guessed (found no signs of brute-force in the logs
|aswell).
|
|Well.. the pgo account wasn't used anymore since about a month and
|then I saw that  there were logins from over 50 different IP addresses
|from all over the world (logs are appended). I put alot of effort into
|tracing them back, most were open proxies, some seem to be rather
|secure hosts that didn't seem to be used as open proxies.
|
|I first expected this to be just some warez group and that somehow
|school computers were backdoored by someone of them, but the logs are
|very strange. I kept the account open to see what they would do, but
|they didn't come back.. although there was no reason they shouldn't.
|
|I show you the log here and note the strange behavior these clients
|make, removed many loglines that were less interesting as there are
|304 loglines:
|
|---
|Oct  3 15:03:48 www pure-ftpd:
|(?@AStrasbourg-106-1-6-77.w81-50.abo.wanadoo.fr) [INFO] pgo is now
|logged in
|Oct  3 15:04:10 www pure-ftpd:
|(pgo () AStrasbourg-106-1-6-77 w81-50 abo wanadoo fr) [INFO] Logout.
|Oct  3 15:04:13 www pure-ftpd:
|(?@AStrasbourg-106-1-6-77.w81-50.abo.wanadoo.fr) [INFO] pgo is now
|logged in
|Oct  3 15:04:39 www pure-ftpd:
|(pgo () AStrasbourg-106-1-6-77 w81-50 abo wanadoo fr) [INFO] Logout.
|Oct  3 15:04:42 www pure-ftpd:
|(?@AStrasbourg-106-1-6-77.w81-50.abo.wanadoo.fr) [INFO] pgo is now
|logged in
|Oct  3 15:04:51 www pure-ftpd:
|(pgo () AStrasbourg-106-1-6-77 w81-50 abo wanadoo fr) [INFO] Logout.
|Oct  3 15:05:15 www pure-ftpd:
|(?@AStrasbourg-106-1-6-77.w81-50.abo.wanadoo.fr) [INFO] pgo is now
|logged in
|Oct  3 15:05:37 www pure-ftpd:
|(pgo () AStrasbourg-106-1-6-77 w81-50 abo wanadoo fr) [INFO] Logout.
|----
|
|The above IP continues to login and logout without
|uploading/downloading anything
|
|----
|Oct  3 15:23:21 www pure-ftpd: (?@wc-142.r-195-85-157.essentkabel.com)
|[INFO] pgo is now logged in
|Oct  3 15:23:53 www pure-ftpd:
|(pgo () wc-142 r-195-85-157 essentkabel com) [NOTICE]
|/home/users/pgo/public_html//2004-2005/filelist.html downloaded  (4123
|bytes, 2574.54KB/sec)
|Oct  3 15:26:02 www pure-ftpd:
|(pgo () wc-142 r-195-85-157 essentkabel com) [NOTICE]
|/home/users/pgo/public_html//cw.txt uploaded
|  (211 bytes, 5.41KB/sec)
|Oct  3 15:26:05 www pure-ftpd:
|(pgo () wc-142 r-195-85-157 essentkabel com) [NOTICE] Deleted cw.txt
|Oct  3 15:29:03 www pure-ftpd:
|(pgo () wc-142 r-195-85-157 essentkabel com) [INFO] Logout.
|----
|
|I tried to recover this cw.txt, but i failed here.. made an image with
|dd and tried to find anything unusual, but no.. i think it's just to
|check if he could write, that could explain the name "cw.txt" (check
|writable?).
|
|----
|Oct  3 15:51:41 www pure-ftpd: (?@host43-91.pool8252.interbusiness.it)
|[WARNING] Authentication failed for user [pgo]
|Oct  3 15:52:04 www pure-ftpd: (?@host43-91.pool8252.interbusiness.it)
|[INFO] pgo is now logged in
|Oct  3 15:52:17 www pure-ftpd:
|(pgo () host43-91 pool8252 interbusiness it) [INFO] Logout.
|----
|
|The above tells me this is not some automated program, cause it
|wouldn't fail typing the right password..
|
|----
|Oct  3 15:52:28 www pure-ftpd: (?@host43-91.pool8252.interbusiness.it)
|[INFO] pgo is now logged in
|Oct  3 15:52:58 www pure-ftpd:
|(pgo () host43-91 pool8252 interbusiness it) [INFO] Logout.
|Oct  3 15:53:09 www pure-ftpd: (?@host43-91.pool8252.interbusiness.it)
|[INFO] pgo is now logged in
|Oct  3 15:53:11 www pure-ftpd:
|(pgo () host43-91 pool8252 interbusiness it) [INFO] Logout.
|Oct  3 15:53:24 www pure-ftpd: (?@host43-91.pool8252.interbusiness.it)
|[INFO] pgo is now logged in
|Oct  3 15:53:27 www pure-ftpd:
|(pgo () host43-91 pool8252 interbusiness it) [INFO] Logout.
|Oct  3 15:53:38 www pure-ftpd: (?@host43-91.pool8252.interbusiness.it)
|[INFO] pgo is now logged in
|Oct  3 15:55:29 www pure-ftpd:
|(pgo () host43-91 pool8252 interbusiness it) [INFO] Logout.
|----
|
|The above ip continues logging in and out...
|
|----
|Oct  3 16:23:26 www pure-ftpd: (?@a81-84-79-26.netcabo.pt) [INFO] pgo
|is now logged in
|Oct  3 16:24:50 www pure-ftpd: (pgo () a81-84-79-26 netcabo pt) [INFO]
Logout.
|Oct  3 16:44:09 www pure-ftpd: (?@a81-84-79-26.netcabo.pt) [INFO] pgo
|is now logged in
|Oct  3 16:44:42 www pure-ftpd: (pgo () a81-84-79-26 netcabo pt) [NOTICE]
|/home/users/pgo/public_html//phpBB-2.0.10.tar.bz2 downloaded  (453378
|bytes, 22.65KB/sec)
|Oct  3 16:45:09 www pure-ftpd: (pgo () a81-84-79-26 netcabo pt) [INFO]
|Can't change directory to .tmp: No such file or directory
|Oct  3 16:45:12 www pure-ftpd: (pgo () a81-84-79-26 netcabo pt) [INFO]
|Can't change directory to .tmp: No such file or directory
|Oct  3 16:45:16 www pure-ftpd: (pgo () a81-84-79-26 netcabo pt) [INFO]
|Can't change directory to 15:28: No such file or directoryOct  3
|16:45:19 www pure-ftpd: (pgo () a81-84-79-26 netcabo pt) [INFO] Can't
|change directory to 15:28: No such file or directory
|Oct  3 16:46:45 www pure-ftpd: (pgo () a81-84-79-26 netcabo pt) [INFO]
Logout.
|----
|
|The above i think is really strange.. could be some newbie having
|trouble controlling an open proxy ofcourse... Btw.. the directories "
|.tmp" and "   " were created before... nothing in there. What is also
|strange is that ".tmp" you would use to hide it or something, why
|create " .tmp"? Probably to make it ""hard"" to remove or something..
|strange.
|
|----
|Oct  3 16:53:26 www pure-ftpd: (?@SHASTA081209.ig.com.br) [INFO] pgo
|is now logged in
|Oct  3 16:56:23 www pure-ftpd: (pgo () SHASTA081209 ig com br) [INFO]
Logout.
|Oct  3 16:56:25 www pure-ftpd: (?@SHASTA081209.ig.com.br) [INFO] pgo
|is now logged in
|Oct  3 16:56:26 www pure-ftpd: (pgo () SHASTA081209 ig com br) [INFO]
Logout.
|Oct  3 16:57:52 www pure-ftpd: (?@SHASTA081209.ig.com.br) [INFO] pgo
|is now logged in
|Oct  3 16:57:52 www pure-ftpd: (pgo () SHASTA081209 ig com br) [INFO]
Logout.
|Oct  3 17:05:36 www pure-ftpd: (?@161.139.66.1) [INFO] pgo is now
logged in
|Oct  3 17:22:15 www pure-ftpd: (pgo@161.139.66.1) [INFO] Logout.
|Oct  3 17:42:52 www pure-ftpd: (?@pD9FAD6AD.dip.t-dialin.net) [INFO]
|pgo is now logged in
|Oct  3 17:45:55 www pure-ftpd: (pgo () pD9FAD6AD dip t-dialin net)
[INFO] Logout.
|Oct  3 17:59:19 www pure-ftpd: (?@pD9FAD6AD.dip.t-dialin.net) [INFO]
|pgo is now logged in
|Oct  3 17:59:28 www pure-ftpd: (pgo () pD9FAD6AD dip t-dialin net) [INFO]
|Can't change directory to 15:28: No such file or directory
|Oct  3 17:59:28 www pure-ftpd: (pgo () pD9FAD6AD dip t-dialin net) [INFO]
|Can't change directory to 15:28: No such file or directory
|Oct  3 17:59:28 www pure-ftpd: (pgo () pD9FAD6AD dip t-dialin net) [INFO]
|Can't change directory to 15:28: No such file or directory
|Oct  3 17:59:29 www pure-ftpd: (pgo () pD9FAD6AD dip t-dialin net) [INFO]
|Can't change directory to 15:28: No such file or directory
|Oct  3 17:59:29 www pure-ftpd: (pgo () pD9FAD6AD dip t-dialin net) [INFO]
|Can't change directory to /15:28: No such file or directory
|Oct  3 17:59:30 www pure-ftpd: (pgo () pD9FAD6AD dip t-dialin net) [INFO]
|Can't change directory to /15:28: No such file or directory
|Oct  3 17:59:39 www pure-ftpd: (pgo () pD9FAD6AD dip t-dialin net)
[INFO] Logout.
|----
|
|Again strange behavior.. probably typo's aswell
|
|----
|Oct  3 18:09:34 www pure-ftpd: (?@83.100.132.94) [INFO] pgo is now
logged in
|Oct  3 18:10:08 www pure-ftpd: (pgo@83.100.132.94) [INFO] Logout.
|Oct  3 18:18:41 www pure-ftpd: (?@ti400720a080-3071.bb.online.no)
|[INFO] pgo is now logged in
|Oct  3 18:21:02 www pure-ftpd: (pgo () ti400720a080-3071 bb online no)
|[INFO] Logout.
|Oct  3 18:31:11 www pure-ftpd: (?@tony04-58-98.inter.net.il) [INFO]
|pgo is now logged in
|Oct  3 18:31:26 www pure-ftpd: (pgo () tony04-58-98 inter net il)
|[NOTICE] Deleted phpBB-2.0.10.tar.bz2
|----
|
|How rude, deleting my board package! Wasn't used anymore anyway so..
|It continues...
|
|----
|Oct  3 18:31:29 www pure-ftpd: (pgo () tony04-58-98 inter net il) [INFO]
|Can't change directory to .tmp: No such file or directory
|Oct  3 18:31:42 www pure-ftpd: (pgo () tony04-58-98 inter net il) [INFO]
|Transfer aborted
|Oct  3 18:33:11 www pure-ftpd: (pgo () tony04-58-98 inter net il) [INFO]
|Timeout (no new data for 900 seconds)
|Oct  3 18:33:15 www pure-ftpd: (?@tony04-58-98.inter.net.il) [INFO]
|pgo is now logged in
|Oct  3 18:33:47 www pure-ftpd: (pgo () tony04-58-98 inter net il) [INFO]
Logout.
|----
|
|----
|Oct  3 18:35:09 www pure-ftpd: (?@rr3-c-31-1.lnet.lut.fi) [INFO] pgo
|is now logged in
|Oct  3 18:35:16 www pure-ftpd: (pgo () rr3-c-31-1 lnet lut fi) [INFO]
|Can't change directory to 15:28: No such file or directory
|Oct  3 18:35:31 www pure-ftpd: (?@UBR-cpe-1.nat-pool.nsad.sbb.co.yu)
|[INFO] pgo is now logged in
|Oct  3 18:35:44 www pure-ftpd: (pgo () UBR-cpe-1 nat-pool nsad sbb co yu)
|[INFO] Can't change directory to .tmp: No such file ordirectory
|Oct  3 18:35:46 www pure-ftpd: (pgo () UBR-cpe-1 nat-pool nsad sbb co yu)
|[INFO] Can't change directory to 15:28   : No such file or directory
|Oct  3 18:35:49 www pure-ftpd: (pgo () rr3-c-31-1 lnet lut fi) [INFO]
Logout.
|----
|
|Well, I'll skip all those ".tmp" messages.. all these fools seem to
|miss that it should be " .tmp". Maybe i should explain that this "
|.tmp" was also created by these account crackers.
|
|----
|Oct  3 23:48:56 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
|[WARNING] Authentication failed for user [pgo]
|Oct  3 23:49:00 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
|[WARNING] Authentication failed for user [pgo]
|Oct  3 23:49:41 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
|[WARNING] Authentication failed for user [pgo]
|Oct  3 23:49:45 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
|[WARNING] Authentication failed for user [pgo]
|Oct  3 23:49:49 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
|[WARNING] Authentication failed for user [pgo]
|Oct  3 23:49:52 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
|[WARNING] Authentication failed for user [pgo]
|Oct  3 23:49:56 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
|[WARNING] Authentication failed for user [pgo]
|Oct  3 23:50:00 www pure-ftpd: (?@modem-1327.buffalo.dialup.pol.co.uk)
|[WARNING] Authentication failed for user [pgo]
|Oct  3 23:55:54 www pure-ftpd:
|(?@host81-157-252-251.range81-157.btcentralplus.com) [INFO] pgo is now
|logged in
|Oct  3 23:55:56 www pure-ftpd:
|(pgo () host81-157-252-251 range81-157 btcentralplus com) [INFO] Can't
|change directory to .tmp: No such file or directory
|Oct  3 23:56:16 www pure-ftpd:
|(pgo () host81-157-252-251 range81-157 btcentralplus com) [INFO] Logout.
|----
|
|Well, told yah; hard to type password..
|
|----
|Oct  4 00:58:06 www pure-ftpd: (?@213-132-213-18.adsl.nlhosting.nl)
|[INFO] pgo is now logged in
|Oct  4 00:58:14 www pure-ftpd: (pgo () 213-132-213-18 adsl nlhosting nl)
|[INFO] Can't change directory to 15:28: No such file or
|directory
|Oct  4 00:58:53 www pure-ftpd: (pgo () 213-132-213-18 adsl nlhosting nl)
|[INFO] Logout.
|----
|
|The above doesn't look like an open proxy to me.. strange.
|
|----
|Oct  4 01:20:02 www pure-ftpd: (?@pD9EB995F.dip0.t-ipconnect.de)
|[INFO] pgo is now logged in
|Oct  4 01:20:03 www pure-ftpd: (pgo () pD9EB995F dip0 t-ipconnect de)
|[INFO] Can't change directory to / 21: No such file or directory
|Oct  4 01:20:06 www pure-ftpd: (pgo () pD9EB995F dip0 t-ipconnect de)
|[INFO] Can't change directory to .tmp: No such file or directory
|----
|
|The above goes on trying to fetch '.tmp' .. fails. But this time you
|see directory "/ 21" weird..
|
|----
|Oct  4 14:35:17 www pure-ftpd: (?@p50812301.dip0.t-ipconnect.de)
|[INFO] pgo is now logged in
|Oct  4 14:35:22 www pure-ftpd: (pgo () p50812301 dip0 t-ipconnect de)
|[INFO] Can't change directory to ./.tmp. / /: No such file or
|directory
|Oct  4 14:36:44 www pure-ftpd: (pgo () p50812301 dip0 t-ipconnect de)
|[INFO] Logout.
|----
|
|So, i think it's very strange. I don't understand how they get the
|password of this account which really is hard (8 chars, randum letters
|and numbers). They could have sniffed it ofcourse but why login from
|somany ip addresses and do absolutely nothing? I still have this
|account working, it's about 2 weeks ago when i found out.. i want to
|find out the purpose and cause and who did this. Any ideas?
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBhn1hAFGyzvzhASERApi0AKClBTrfLDHUCfutHF86va4I7ugpGQCbBK9v
RfelMmJzhycLUo3QeLtrhaI=
=MOIj
-----END PGP SIGNATURE-----