Hello all,
I have a strange problem and I want to see if any of you
have encountered anything similar.
I run a DU box (AlphaServer 1000) running 3.2c. I have an
FTP site on this box, with logs sent to /var/adm/syslog.dated.
Recently I've noticed that I've been having multiple FTP
connections from a particular site in Russia - it's obviously
some sort of automated process - a connection is made, then
shortly afterwards it is disconnected. Nothing is ever downloaded,
not even the FTP directory listings. An example of the log
is as follows :-
Aug 19 09:30:38 localhost ftpd[5826]: ANONYMOUS FTP LOGIN FROM
schboy.kuban.ru, id=yankovsk_at_chat.ru
Aug 19 09:43:41 eden ftpd[8724]: connection from schboy.kuban.ru at Wed
Aug 19 09:43:41 1998
I've checked the logs, and this appears to have been
going on for a while. Yesterday I realised that this guy had
about 30 FTP processes runnning (all doing nothing) but I killed
them all and wrote a little PERL program to kill his processes
every minute.
It seems that these processes start up about 7AM GMT every
morning, and fire off about every 6 minutes, stopping about
2:30PM GMT. This matches with, roughly, office hours around
the longitude of Moscow.
Now, I know that I could stop all this if I installed TCP
wrappers, but my question is this - What is this guy doing???
The only options that I can think of are rather poor :-
1. Is it a denial of service thing? And the guy screwed up
the interval of FTP messages sent? (Hasn't he realised yet?)
2. It's something automatic on the guys machine that he's
set up and forgotten about? (Like what?)
3. Its an attempt at being malicious to get control of the box
through some sort of FTPD hole? (But why retry? For *days!*)
I've emailed the address the guy uses as the anonymous FTP password,
but understandably got nothing back.
Can anyone shed any light on this at all? This is driving
me crazy !!!
I'm stumped. Any help appreciated,
M.
Mark S. Burrell ADAM and VADS Technical Officer
-------------------------------------------------------------
Historical and Critical Studies Dept.
Tel:+44(0)191 2273704
University of Northumbria mailto:mark_at_adam.ac.uk
Newcastle upon Tyne, NE1 8ST, UK
http://adam.ac.uk/~mark
-------------------------------------------------------------
Received on Wed Aug 19 1998 - 09:21:24 NZST