Hello,
I've had a number of interesting replies from some of you regarding
the strange FTP usage on my site from someone within a Russian
domain. (My original posting is included below). I'll go through
the replies in the order that I received them.
Martin Mokrejs <mmokrejs_at_natur.cuni.cz> recommended that I
install tcpwrappers. I will do this after I've upgraded the system,
at the moment I'm just more interested on what this Russian chap
is actually doing!
Stan Horwitz <stan_at_thunder.ocis.temple.edu> recommended that I
email the system admin for the suspicious system. I tried that,
but have heard nothing.
Martin Moore <jmm_at_am.appstate.edu> suggested that I use tcpdump
to have a look at the actual packets to identify what is actually
being done. I thought this a great idea, but it requires me to
rebuild the kernel and I can't afford the time just yet.
Nathan Grass <NathanG_at_UTS.Itron.com> wondered if it could be
some sort of 'polling' program, or a way of keeping an internet
connection alive. He also suggested that I contact the sys admin
of the site.
Ann Cantelow <cantelow_at_athena.csdco.com> suggested that I use the '-d'
switch (I already used the -l' switch) to better debug the FTP
connection.
This certainly was interesting, as I could better see what the
FTP process was up to (BTW, anybody know what a 215 reply means ? - I
couldn't find it mentioned in any of the FTP RFCs). Also, Ann
wondered if it could possibly be exploiting a PORT vulnerability.
Finally, Sheryl A. Lemma <lemma_at_lvc.edu> suggested the use of wu-ftp
to replace the standard DU ftpd. As I've spent enough time trying to
figure what this Russian chap was doing I installed wu-ftp this
morning to keep him out for good.
Many thanks to all who took the time to reply, it's certainly been
fun to try to figure out my Russian friend - I just wish that
I had the definitive answer of what he was up to!
Back to some real work now,
Kind Regards,
Mark Burrell
==============================================
My Original Posting :-
Hello all,
I have a strange problem and I want to see if any of you
have encountered anything similar.
I run a DU box (AlphaServer 1000) running 3.2c. I have an
FTP site on this box, with logs sent to /var/adm/syslog.dated.
Recently I've noticed that I've been having multiple FTP
connections from a particular site in Russia - it's obviously
some sort of automated process - a connection is made, then
shortly afterwards it is disconnected. Nothing is ever downloaded,
not even the FTP directory listings. An example of the log
is as follows :-
Aug 19 09:30:38 localhost ftpd[5826]: ANONYMOUS FTP LOGIN FROM
schboy.kuban.ru, id=yankovsk_at_chat.ru
Aug 19 09:43:41 eden ftpd[8724]: connection from schboy.kuban.ru at Wed
Aug 19 09:43:41 1998
I've checked the logs, and this appears to have been
going on for a while. Yesterday I realised that this guy had
about 30 FTP processes runnning (all doing nothing) but I killed
them all and wrote a little PERL program to kill his processes
every minute.
It seems that these processes start up about 7AM GMT every
morning, and fire off about every 6 minutes, stopping about
2:30PM GMT. This matches with, roughly, office hours around
the longitude of Moscow.
Now, I know that I could stop all this if I installed TCP
wrappers, but my question is this - What is this guy doing???
The only options that I can think of are rather poor :-
1. Is it a denial of service thing? And the guy screwed up
the interval of FTP messages sent? (Hasn't he realised yet?)
2. It's something automatic on the guys machine that he's
set up and forgotten about? (Like what?)
3. Its an attempt at being malicious to get control of the box
through some sort of FTPD hole? (But why retry? For *days!*)
I've emailed the address the guy uses as the anonymous FTP password,
but understandably got nothing back.
Can anyone shed any light on this at all? This is driving
me crazy !!!
I'm stumped. Any help appreciated,
M.
--
M.
Mark S. Burrell ADAM and VADS Technical Officer
-------------------------------------------------------------
Historical and Critical Studies Dept. Tel:+44(0)191 2273704
University of Northumbria mailto:mark_at_adam.ac.uk
Newcastle upon Tyne, NE1 8ST, UK http://adam.ac.uk/~mark
-------------------------------------------------------------
Received on Thu Aug 20 1998 - 11:10:33 NZST