Anonymous FTP Problems

Additional operating system/hardware discussion (Windows, Linux, *BSD and others)
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
nekonoko
Site Admin
Site Admin
Posts: 8145
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Anonymous FTP Problems

Unread postby nekonoko » Tue Sep 22, 2015 5:05 am

I'm a strange issue that's betting worse as time goes on - automated, randomly generated files are being dumped in my /incoming directory.

Basically the issue started a while back with a file named "sjutd.txt" showing up every couple days or so. It was pretty easy to ignore - once a bot uploaded it, the presence of the file blocked further uploads. Every once in a while I would delete it anyway.

Now I'm just being slammed with random text files of similar length:

Code: Select all

root@sachiko /var/ftp/incoming
 # ls -la
total 204
drwx-wx-wx  2 root  ftp     2560 Sep 21 14:16 .
drwxr-xr-x  4 root  daemon   512 Apr 22  2010 ..
-rw-r--r--  1 root  ftp        9 Aug 29 22:57 afjneqzi.txt
-rw-r--r--  1 root  ftp        9 Aug  7 14:05 apvpwfhf.txt
-rw-r--r--  1 root  ftp        9 Aug 17 22:15 avjjqvio.txt
-rw-r--r--  1 root  ftp        9 Aug 28 18:19 bnnjzngq.txt
-rw-r--r--  1 root  ftp        9 Aug 31 22:51 bqonqmbm.txt
-rw-r--r--  1 root  ftp        9 Aug 10 19:02 bxlhhgsa.txt
-rw-r--r--  1 root  ftp        9 Sep 21 14:16 cvtzexcz.txt
-rw-r--r--  1 root  ftp        9 Aug  9 11:58 cxbczpzd.txt
-rw-r--r--  1 root  ftp        9 Aug 17 13:19 dcpcnnmf.txt
-rw-r--r--  1 root  ftp        9 Aug  7 14:35 dehvobvr.txt
-rw-r--r--  1 ftp   ftp        0 Aug 18 06:41 dnqgjtku.txt
-rw-r--r--  1 root  ftp        9 Jul 29 19:10 dpkuxjra.txt
-rw-r--r--  1 root  ftp        9 Aug 18 11:18 eazxpfqi.txt
-rw-r--r--  1 root  ftp        9 Aug 17 10:45 edoxvqzb.txt
-rw-r--r--  1 root  ftp        9 Aug 28 01:54 eiyuaqgw.txt
-rw-r--r--  1 root  ftp        9 Sep 16 13:32 eusqmurr.txt
-rw-r--r--  1 root  ftp        9 Aug 27 06:14 ezbuqxuh.txt
-rw-r--r--  1 root  ftp        9 Sep 21 09:21 fbahmxoz.txt
-rw-r--r--  1 root  ftp        9 Aug 19 19:48 fdifnlkd.txt
-rw-r--r--  1 root  ftp        9 Aug  3 00:06 fkdngizv.txt
-rw-r--r--  1 root  ftp        9 Aug 17 15:19 fkdpuqpj.txt
-rw-r--r--  1 root  ftp        9 Aug 21 01:53 fqepvgdq.txt
-rw-r--r--  1 root  ftp        9 Aug 29 09:52 gcjmnaaq.txt
-rw-r--r--  1 root  ftp        9 Aug 28 11:08 gdlhesnq.txt
-rw-r--r--  1 root  ftp        9 Aug  6 11:11 ghdlsbrf.txt
-rw-r--r--  1 root  ftp        9 Jul 27 13:05 gnqvahtw.txt
-rw-r--r--  1 root  ftp        9 Aug 18 21:14 gvrvtsse.txt
-rw-r--r--  1 root  ftp        9 Aug 19 02:29 hkzaycxb.txt
-rw-r--r--  1 root  ftp        9 Sep 21 02:47 hrkdubcq.txt
-rw-r--r--  1 root  ftp        9 Aug 17 18:22 hxsduwll.txt
-rw-r--r--  1 root  ftp        9 Aug 13 11:03 iqwvijot.txt
-rw-r--r--  1 root  ftp        9 Aug 14 12:03 jhoepzwt.txt
-rw-r--r--  1 root  ftp        9 Sep 15 11:54 jiqwfvyu.txt
-rw-r--r--  1 root  ftp        9 Aug 29 22:54 jppucnsm.txt
-rw-r--r--  1 root  ftp        9 Aug 19 16:50 kcsnrbvj.txt
-rw-r--r--  1 root  ftp        9 Aug 17 23:16 klqarlvy.txt
-rw-r--r--  1 root  ftp        9 Aug 17 02:21 kmbluyll.txt
-rw-r--r--  1 root  ftp        9 Sep  1 11:37 kxlueilw.txt
-rw-r--r--  1 root  ftp        9 Aug 18 21:12 kyccihwv.txt
-rw-r--r--  1 root  ftp        9 Aug 26 12:30 llxfpjuj.txt
-rw-r--r--  1 root  ftp        9 Aug 27 21:58 lsuusbvl.txt
-rw-r--r--  1 ftp   ftp        0 Aug 10 11:35 mpptszqk.txt
-rw-r--r--  1 root  ftp        9 Aug 15 16:21 mqdldprr.txt
-rw-r--r--  1 root  ftp        9 Sep 20 09:52 mqlfpblz.txt
-rw-r--r--  1 root  ftp        9 Sep 21 10:22 ndzvyvtg.txt
-rw-r--r--  1 ftp   ftp        0 Aug  5 23:39 netqyclf.txt
-rw-r--r--  1 root  ftp        9 Sep 21 03:20 nezxrkcf.txt
-rw-r--r--  1 root  ftp        9 Sep  1 05:43 njjolhic.txt
-rw-r--r--  1 root  ftp        9 Sep 21 07:31 nnvrvefk.txt
-rw-r--r--  1 root  ftp        9 Aug  6 13:06 nqyhxcrp.txt
-rw-r--r--  1 root  ftp        9 Aug 28 01:24 nrmjgcbc.txt
-rw-r--r--  1 root  ftp        9 Aug 17 00:08 orwxkpng.txt
-rw-r--r--  1 root  ftp        9 Aug 19 02:29 oymlxpxj.txt
-rw-r--r--  1 root  ftp        9 Aug 17 01:55 pffpfalf.txt
-rw-r--r--  1 root  ftp        9 Aug 10 03:14 pmjrkksu.txt
-rw-r--r--  1 root  ftp        9 Aug 16 20:27 pnmcmidz.txt
-rw-r--r--  1 root  ftp        9 Aug 19 01:08 qcnywgtc.txt
-rw-r--r--  1 root  ftp        9 Aug 18 21:59 qdokkssq.txt
-rw-r--r--  1 root  ftp        9 Aug 19 02:07 qneeypem.txt
-rw-r--r--  1 root  ftp        9 Aug 29 05:16 qrftqoea.txt
-rw-r--r--  1 root  ftp        9 Aug 30 01:56 rczvmzzx.txt
-rw-r--r--  1 root  ftp        9 Aug 31 02:53 rjqvookl.txt
-rw-r--r--  1 ftp   ftp        0 Sep 21 03:51 rntvbyay.txt
-rw-r--r--  1 root  ftp        9 Jul 28 22:54 rqgqkvab.txt
-rw-r--r--  1 root  ftp        9 Aug 12 06:21 segsqehy.txt
-rw-r--r--  1 root  ftp        9 Jun 14 07:19 sjutd.txt
-rw-r--r--  1 root  ftp        9 Sep 21 08:57 skraweqe.txt
-rw-r--r--  1 root  ftp        9 Aug 25 05:55 suygqcsj.txt
-rw-r--r--  1 root  ftp        9 Aug 28 19:31 svbtuyeq.txt
-rw-r--r--  1 root  ftp        9 Aug 13 07:51 sydwdzor.txt
-rw-r--r--  1 root  ftp        9 Aug 18 09:25 tduzmuej.txt
-rw-r--r--  1 root  ftp        9 Aug  9 03:33 tlgvrizv.txt
-rw-r--r--  1 root  ftp        9 Sep 21 04:51 twhnagfn.txt
-rw-r--r--  1 root  ftp        9 Sep 21 11:33 txdujqnm.txt
-rw-r--r--  1 root  ftp        9 Aug 17 14:29 tzkrblhj.txt
-rw-r--r--  1 root  ftp        9 Jul 28 00:23 udrnisqk.txt
-rw-r--r--  1 root  ftp        9 Aug 28 13:42 uezgaqye.txt
-rw-r--r--  1 root  ftp        9 Aug 17 13:43 ufwcmyym.txt
-rw-r--r--  1 root  ftp        9 Sep  1 13:58 ufzayyec.txt
-rw-r--r--  1 root  ftp        9 Sep 16 04:26 ulognwor.txt
-rw-r--r--  1 root  ftp        9 Aug 17 19:12 vacdmffr.txt
-rw-r--r--  1 root  ftp        9 Aug 18 16:22 vjwpkcif.txt
-rw-r--r--  1 root  ftp        9 Aug 10 11:54 vnlibobq.txt
-rw-r--r--  1 root  ftp        9 Aug 16 20:32 vpumdash.txt
-rw-r--r--  1 root  ftp        9 Sep 21 06:18 wbwwtltf.txt
-rw-r--r--  1 root  ftp        9 Aug 17 00:25 wqwniuty.txt
-rw-r--r--  1 root  ftp        9 Aug 18 02:11 wwqmnpuf.txt
-rw-r--r--  1 root  ftp        9 Aug 13 18:25 wxfmlmki.txt
-rw-r--r--  1 root  ftp        9 Sep 21 08:26 wyxoyspg.txt
-rw-r--r--  1 root  ftp        9 Sep 21 13:16 wzbsyhxx.txt
-rw-r--r--  1 root  ftp        9 Sep  1 22:31 xaeyblck.txt
-rw-r--r--  1 root  ftp        9 Aug 29 21:22 yhtobgzo.txt
-rw-r--r--  1 root  ftp        9 Aug 11 01:13 yifdqcen.txt
-rw-r--r--  1 root  ftp        9 Aug 17 17:23 yngtxter.txt
-rw-r--r--  1 root  ftp        9 Sep 15 01:46 yqyvtzes.txt
-rw-r--r--  1 root  ftp        9 Aug 19 04:11 yxktnxyv.txt
-rw-r--r--  1 root  ftp        9 Aug 16 21:51 yzjkiybe.txt
-rw-r--r--  1 root  ftp        9 Aug 16 18:46 zfsnzxmc.txt
-rw-r--r--  1 root  ftp        9 Aug  1 22:14 zfvexhpt.txt
-rw-r--r--  1 root  ftp        9 Aug 16 22:03 zhnjstrp.txt
-rw-r--r--  1 root  ftp        9 Sep  3 03:15 zijefpgj.txt
-rw-r--r--  1 root  ftp        9 Jul 30 01:37 zuypdgjg.txt
-rw-r--r--  1 root  ftp        9 Sep  1 08:54 zzyvqjfl.txt
root@sachiko /var/ftp/incoming


I can't find anyone on Google actually discussing this problem. I deleted the files above yesterday, and today I already found five more. I suppose I could make a cron job to sweep *.txt from the directory every day. Has anyone else seen this?
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
foetz
Moderator
Moderator
Posts: 6592
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: Anonymous FTP Problems

Unread postby foetz » Tue Sep 22, 2015 10:11 am

what's in the files?

User avatar
duck
Donor
Donor
Posts: 746
Joined: Mon Oct 27, 2003 5:22 pm
Location: Jakobstad, Finland
Contact:

Re: Anonymous FTP Problems

Unread postby duck » Tue Sep 22, 2015 10:41 am

It makes me wonder if this is some sort of pirate data scheme, upload blocks of your files to random anonymous ftp sites, voila, secure, distributed storage :-)
:Octane: halo, octane Image knightrider, d i g i t a l AlphaPC164, pond, soekris net6501, misc cool stuff in a rack
N.B.: I tend to talk out of my ass. Do not take it too seriously.

User avatar
miod
Posts: 522
Joined: Fri Oct 09, 2009 2:44 am
Location: Clermont-Ferrand (France)
Contact:

Re: Anonymous FTP Problems

Unread postby miod » Tue Sep 22, 2015 10:53 pm

duck wrote:It makes me wonder if this is some sort of pirate data scheme, upload blocks of your files to random anonymous ftp sites, voila, secure, distributed storage :-)

Since the files seem to be only 9 bytes long, I'm not sure this would be worth doing for the uploader.
:Indigo:R3000 (alas, dead) :Indigo:R4000 x4 :Indigo2:R4400 :Indigo2IMP:R4400 x2 :Indigo2:R8000 :Indigo2IMP:R10000 :Indy:R4000PC :Indy:R4000SC :Indy:R4400SC :Indy:R4600 :Indy:R5000SC :O2:R5000 x3 :O2:RM7000 :Octane:2xR10000 :Octane:R12000 :O200:2xR12000 :O200: - :O200:2x2xR10000 :Fuel:R16000 :O3x0:4xR16000 :A350:
among more than 150 machines : Apollo, Data General, Digital, HP, IBM, MIPS before SGI, Motorola, NeXT, SGI, Solbourne, Sun...

robespierre
Posts: 1578
Joined: Mon Sep 12, 2011 2:28 pm
Location: Boston

Re: Anonymous FTP Problems

Unread postby robespierre » Tue Sep 22, 2015 10:55 pm

appears to be a probe step for some ftp exploit
:PI: :O2: :Indigo2IMP: :Indigo2IMP:

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8145
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Re: Anonymous FTP Problems

Unread postby nekonoko » Wed Sep 23, 2015 11:31 pm

Had to wait until a couple more showed up today since I'd already deleted the rest.

Code: Select all

 # cat ezgqnhxt.txt
BokDBvhF

 # cat mowwslle.txt
hwKLlRCC
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
hamei
Posts: 10435
Joined: Tue Feb 24, 2004 4:10 pm
Location: over the rainbow

Re: Anonymous FTP Problems

Unread postby hamei » Thu Sep 24, 2015 5:25 am

nekonoko wrote:Had to wait until a couple more showed up today ...

Block anonymous incoming access ? You could even set a trap : post the username for uploading here and see if the deviated prevert what's abusing nekochan reads the place, or is just a random driveby shooter ...

Can you check for the source ip's easily ? If your router has any kind of tracing, you could compare the file time stamps with ip accesses .... pain in the ass but sort of an interesting puzzle.
I spent a fortune on booze, birds, and fast cars ... the rest I just squandered

User avatar
smj
Donor
Donor
Posts: 1666
Joined: Mon Nov 12, 2007 7:54 pm
Location: Berkeley, CA, USA, NA, Earth, Sol
Contact:

Re: Anonymous FTP Problems

Unread postby smj » Fri Sep 25, 2015 10:37 pm

You can usually setup an FTP server such that anonymous users can neither get a directory listing from /incoming, nor retrieve any files from it. If that isn't already the case, configuring it that way might make the service useless for whatever they're doing - perhaps passing bits of command and control info for botnets, spread across a rotating collection of similar FTP servers... Tedious, but the more obscure it is, perhaps the more survivable.
Then? :IRIS3130: ... Now? :O3x02L: :A3504L:- :A3502L: :1600SW:+MLA :Fuel: :Octane2: :Octane: :Indigo2IMP: :Indy: ... Other: DEC :BA213: :BA123: Sun, DG AViiON, NeXT :Cube:

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8145
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Re: Anonymous FTP Problems

Unread postby nekonoko » Fri Sep 25, 2015 11:07 pm

That's already the case - you can upload but not download or retrieve a directory listing (basically a drop box). The issue I have is that it obviously puts a lot of crap in that folder so it's harder (at a glance) to tell if someone has uploaded something important, like a Nekoware package.
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
Trippynet
Donor
Donor
Posts: 812
Joined: Thu Aug 15, 2013 6:22 am
Location: Aberdeen, Scotland, UK

Re: Anonymous FTP Problems

Unread postby Trippynet » Sat Sep 26, 2015 8:06 am

Following on from what hamei said, you could try turning off anonymous access and post the username/pw here. It'd stop any general automated attack attempts, but would still keep it easily open for people to drop incoming Nekoware packages.
Systems in use:
:Indigo2IMP: - Nitrogen: R10000 195MHz CPU, 384MB RAM, SolidIMPACT Graphics, 36GB 15k HDD & 300GB 10k HDD, 100Mb/s NIC, New/quiet fans, IRIX 6.5.22
:Fuel: - Lithium: R14000 600MHz CPU, 4GB RAM, V10 Graphics, 72GB 15k HDD & 300GB 10k HDD, 1Gb/s NIC, New/quiet fans, IRIX 6.5.30
Other system in storage: :O2: R5000 200MHz, 224MB RAM, 72GB 15k HDD, PSU fan mod, IRIX 6.5.30

User avatar
Black Cardinal
Posts: 182
Joined: Fri Sep 25, 2009 10:40 am
Location: Albany, OR USA
Contact:

Re: Anonymous FTP Problems

Unread postby Black Cardinal » Sat Sep 26, 2015 12:01 pm

Do your logs show what IP(s) these are coming from? It's probably not just one, but if it were you could block it at your firewall.

Another kludgy way to keep the directory clean would be to delete any files below a few bytes in size once a day from a cron job. I'm not sure this is any better than your idea to delete *.txt files, though.

Is there a way to configure something like fail2ban to detect these small file uploads and temporarily block the guilty IPs?
:Onyx2: 4x400MHz R12K Onyx2 IR3, 8GB RAM
:1600SW: :Indigo2IMP: R10K Indigo2 MaxIMPACT, 4 TRAMS, 768MB RAM, 2x9GB HD, CD-ROM, Phobos G160
Black Cardinal

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8145
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Re: Anonymous FTP Problems

Unread postby nekonoko » Thu Dec 03, 2015 12:09 pm

Black Cardinal wrote:Do your logs show what IP(s) these are coming from? It's probably not just one, but if it were you could block it at your firewall.


That's what I wound up doing. Every single one of these is coming from IPs in China, so I blocked port 21 for those netblocks. I can open up ranges if needed on a case-by-case basis.
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
dexter1
Moderator
Moderator
Posts: 2743
Joined: Thu Feb 20, 2003 6:57 am
Location: Zoetermeer, The Netherlands

Re: Anonymous FTP Problems

Unread postby dexter1 » Thu Dec 03, 2015 12:28 pm

Any chance of reporting this to an ISP? Technically it's not abuse per se, but you can argue that it is suspect to say the least.
:Crimson: :PI: :Indigo: :O2: :Indy: :Indigo2: :Indigo2IMP:

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8145
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Re: Anonymous FTP Problems

Unread postby nekonoko » Thu Dec 03, 2015 12:41 pm

It appears like they're not isolated to a single ISP. They all originate from China which seems to indicate it isn't a standard compromised server/worm style attack or we'd see some attempts originating from compromised systems elsewhere. Before the block I was getting around 40-50 of these files uploaded a day.

Here are a few from 30 November:

123.57.175.199
120.55.241.235
120.25.237.209
120.25.70.61
101.200.206.154
120.25.202.100
120.25.216.138
120.24.156.202
101.200.204.168
218.5.250.47
120.27.129.12
139.196.11.95
123.56.97.81
120.25.240.195
101.201.142.49
121.41.83.25
182.92.81.213

Google still doesn't find anyone else talking about it, but I see other FTP sites with these files, e.g. ftp://www.marine.usf.edu/incoming/
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
duck
Donor
Donor
Posts: 746
Joined: Mon Oct 27, 2003 5:22 pm
Location: Jakobstad, Finland
Contact:

Re: Anonymous FTP Problems

Unread postby duck » Sat Dec 05, 2015 6:40 am

Perhaps you could set up port knocking until this blows over?
:Octane: halo, octane Image knightrider, d i g i t a l AlphaPC164, pond, soekris net6501, misc cool stuff in a rack
N.B.: I tend to talk out of my ass. Do not take it too seriously.


Return to “Miscellaneous Operating Systems/Hardware”

Who is online

Users browsing this forum: Yahoo [Bot] and 1 guest