OK, Folks help me out here with an intrusion attempt.


While looking through /var/log/messages I found some "black hat" poking around my FTP site.

After sending a copy of my logs to the abuse department of the offenders ISP, I would like to acertain exactly what this "black hat" was trying to do.

here are the logs (servername edited to protect the me. but the offender shall remain unobfuscated)

Oct 7 05:12:11 XxXxXxX ftpd[8878]: USER anonymous
Oct 7 05:12:11 XxXxXxX ftpd[8878]: PASS guest@here.com
Oct 7 05:12:11 XxXxXxX ftpd[8878]: ANONYMOUS FTP LOGIN FROM ti10a61-0132.dialup.online.no [130.67.83.4], guest@here.com
Oct 7 05:12:11 XxXxXxX ftpd[8878]: CWD /pub/
Oct 7 05:12:11 XxXxXxX ftpd[8878]: MKD .001007141143p
Oct 7 05:12:11 XxXxXxX ftpd[8878]: anonymous(guest@here.com) of ti10a61-0132.dialup.online.no [130.67.83.4] tried to create directory /home/ftp/pub/.001007141143p
Oct 7 05:12:12 XxXxXxX ftpd[8878]: CWD /public/
Oct 7 05:12:12 XxXxXxX ftpd[8878]: CWD /pub/incoming/
Oct 7 05:12:12 XxXxXxX ftpd[8878]: CWD /incoming/
Oct 7 05:12:12 XxXxXxX ftpd[8878]: CWD /_vti_pvt/
Oct 7 05:12:13 XxXxXxX ftpd[8878]: CWD /
Oct 7 05:12:13 XxXxXxX ftpd[8878]: MKD .001007141144p
Oct 7 05:12:13 XxXxXxX ftpd[8878]: anonymous(guest@here.com) of ti10a61-0132.dialup.online.no [130.67.83.4] tried to create directory /home/ftp/.001007141144p
Oct 7 05:12:13 XxXxXxX ftpd[8878]: CWD /upload/
Oct 7 05:12:13 XxXxXxX ftpd[8878]: FTP session closed

First thing I noticed was the mkdir command was enabled for anonymous users.

how do I kill that ability for anonymous users?

Second thing I noticed was that the "black hat" gave the comand .001007141144p for a directory. Is that just some random directory name or an exploit of some sort? Any help would be apprecieated.

------------------
[X] YES! I'm a brain-damaged lemur on crack, and I'd like to order your software package for $459.95!

Well, three things strike me:

1. Based on the fact that all this happens within seconds, it's obvious that he's using some kind of script for this, probably some canned expl0it he downloaded from some 1337 h4x0r site like Warforge.

2. He's apparantly trying to create a folder for purposes of uploading something. The period at the start of the folder name is to make it hidden so that you hopefully won't notice it. The seemingly random numbers is probably was so that it wouldn't set off alarm bells with you if you noticed it later, like ".exploitz" would.

3. I notice the number increments by one each time. I'm not sure what this means, though.

4. The "vti_pvt" directory is a directory used by Microsoft Frontpage. Obviously his script is trying to go into every directory that commonly exists on FTP servers, and create a directory into every one that it can get into.

I can only speculate as to why, though.

Anyway, what FTP server are you using? I know how to turn off anonymous directory creation in Wu, but not in any others.

It looked like the ftp server gave an error when he tried to create that directory... was the dir actually created?

He was definitely looking to upload something... How he was going to get it to run is an interesting question... Maybe hoping you had your webroot and ftproot the same...

Dang... you're good Craig!

Originally posted by Craig McPherson:
Anyway, what FTP server are you using? I know how to turn off anonymous directory creation in Wu, but not in any others.

I am using WU.

------------------
[X] YES! I'm a brain-damaged lemur on crack, and I'd like to order your software package for $459.95!

You should switch to Proftp, believing it to be more secure.

What say you Craig? :P

------------------
[X] YES! I'm a brain-damaged lemur on crack, and I'd like to order your software package for $459.95!

Craig, it seems to me that it would be a handy thing to increment the directory count by one each time in order to build a database of compromised systems.

In short, a person could return all the successful numbers to the invading machine to be appended to a file. Then this person would have easy access to all the servers that were compromised.

Since the number increments even if the creation fails, he can also figure the percentage of attempts that succeed. say he has 100 servers, and 1500 tries. That would mean that his success rate is about 1.5%, obviously. Not very handy, but useful in that it would allow him to stop using a particular exploit if it had a certain success rate (such as 0.00001 or 0 or something). Just speculation, but if you're going to try to exploit a large number of systems, then you should at least have some statistics around.


------------------
grab my gnupg key (http://jove.prohosting.com/~msibn/sibn-p.asc) if you feel so inclined.

do the world a favor: give an employee something to smile about.