General discussion

Locked

wierd FTP question

By advancedgeek ·
Ok...I'm hosting an FTP server off of my home cable isp. I'm running this on windows 2000as on my own domain named home.local (yes I am that much of a geek). I found a weird photo on my ftp server and I decided to find out who put it there, so I checked my logs...here is the relevent info:

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2005-03-07 01:00:59
#Fields: time c-ip cs-method cs-uri-stem sc-status
01:00:59 217.255.174.61 [41]USER anonymous 331
01:00:59 217.255.174.61 [41]PASS Kgpuser@home.com 530


I left the rest out for obvious reasons...so who is this person? Definately not one of MY user accounts. Turns out he didn't get access (hopefully)...a friend of mine put that photo there. This ftp is not set up to allow anonymous users.

So...I googled the Kgpuser@home.com and guess what I found...a bunch of user's with the same problems...ranging from connecting to printers to connecting to ftp servers. I looked at the IP provided, and I found out that a lot of them are from the same netrange...217.X.X.X. So, does anyone think that this is some form of the homeland dept checking out ftp servers for "terrorist activity" or maybe is it a hacker group?

I checked to see who the IP addy was registered too, and it turns out that the RIPE network coordination center in Amsterdam owns the 217.0.0.0 - 217.255.255.255 netrange.

Any imput as to who this kgpuser is...would be appreciative.

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by advancedgeek In reply to wierd FTP question

upon further research...i found this:

inetnum: 217.246.0.0 - 217.255.255.255
netname: DTAG-DIAL17
descr: Deutsche Telekom AG
country: DE
admin-c: DTIP
tech-c: DTST
status: ASSIGNED PA
remarks: ******************************************************************
remarks: * Abuse Contact: http://www.t-com.de/ip-abuse in case of Spam, *
remarks: * Hack Attacks, Illegal Activity, Violation, Scans, Probes, etc. *
remarks: ******************************************************************
mnt-by: DTAG-NIC
changed: ripe.dtip@telekom.de 20020802
changed: ripe.dtip@telekom.de 20030211
changed: ripe.dtip@telekom.de 20040709
source: RIPE
route: 217.224.0.0/11
descr: Deutsche Telekom AG, Internet service provider
origin: AS3320
member-of: AS3320:RS-PA-TELEKOM
mnt-by: DTAG-RR
changed: bp@nic.dtag.de 20010405
source: RIPE
changed: rv@TE142.T-COM.XX 20040615
person: DTAG Global IP-Addressing
address: Deutsche Telekom AG
address: D-90492 Nuernberg
address: Germany
phone: +49 180 5334332
fax-no: +49 180 5334252
e-mail: ripe.dtip@telekom.de
nic-hdl: DTIP
mnt-by: DTAG-NIC
changed: ripe.dtip@telekom.de 20031013
source: RIPE
person: Security Team
address: Deutsche Telekom AG
address: Germany
phone: +49 180 5334332
fax-no: +49 180 5334252
e-mail: abuse@t-ipnet.de
nic-hdl: DTST
mnt-by: DTAG-NIC
changed: abuse@t-ipnet.de 20030210
source: RIPE


So it seems it was someone in germany...
spoof?

Additional comments: I just put this ftp server up 4 days ago...THIS sure didn't take long.

Collapse -

by softcorp.us In reply to wierd FTP question

Hello...

It appears your IIS server really does allow anonymous logins. Or, it was hacked. IIS servers are under assault 24x7 and can be hacked even if you think you have taken steps to secure it.

It is very unlikely that the U.S. Dept of Homeland Security is interested in your server -- Unless you know some reason yourself :-).

I suggest you do not put your IIS server directly on the Internet. Put it behind a firewall and use a VPN tunnel to connect through the firewall to it.

From archives.neohapsis.com:

"This is the signature of Grim's
Ping- a scanning tool that looks for FTP servers with directories that
anonymous users can write to (In other words- new warez sites). The tool
logs in as anonymous and authenticates with Xgpuserhome.com (where X is
any uppercase letter). It tries to find and write to commonly used FTP
directories and reports successes to the attacker.."

The tool can be downloaded from http://grimsping.cjb.net/.

-----Steve Jackson

CEO/CSA
Software Corporation (Softcorp)
http://www.softcorp.us/probono
Advanced pro bono tools and utilities free for personal use

Collapse -

by advancedgeek In reply to

Poster rated this answer.

Collapse -

by 5jgibbs In reply to wierd FTP question

its called anonymous login... a user can log in with a username of anonymous and a password of there email address...

you need to set the login to use your active directory users and computers database, and click the box that says disable anonymous login

Collapse -

by advancedgeek In reply to

Poster rated this answer.

Collapse -

by advancedgeek In reply to wierd FTP question

Thanks guys...but I am using just my ad accounts. It doesn't look like this guy got access because he never did anything, or tried anything. I do have anonymous turned off.

Collapse -

by advancedgeek In reply to wierd FTP question

This question was closed by the author

Back to Networks Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums