Tuesday, October 28, 2003

Hackers Part 2


Well apparently they think they can still get in. hahahaha!

Here is one attempt:

21:25:55 217.82.245.135 [20]USER anonymous 331

21:25:55 217.82.245.135 [20]PASS Ugpuser@home.com 230

21:25:55 217.82.245.135 [20]MKD 031025232433p 550

21:26:00 217.82.245.135 [20]MKD 031025232438p 550

21:26:00 217.82.245.135 [20]MKD 031025232439p 550

And another, this one is a bit more specific. I wonder who 'AK' is?:

17:36:57 81.60.105.239 [25]USER anonymous 331

17:36:57 81.60.105.239 [25]PASS ANONYMOUS@ON.THE.NET 230

17:37:13 81.60.105.239 [25]MKD /com1.aux.lptr.lock++#####++tag+++++for++++++++ak+++++/+ 550

17:37:38 81.60.105.239 [25]QUIT - 226

I don't get it...:

23:56:09 212.194.141.155 [39]USER anonymous 331

23:56:09 212.194.141.155 [39]PASS Pgpuser@home.com 230

23:56:11 212.194.141.155 [39]MKD 031028005455p 550

Only four attempts since I locked things down. Not too bad.

06:43:25 67.68.198.22 [40]USER anonymous 331

06:43:25 67.68.198.22 [40]PASS Xgpuser@home.com 230

06:43:27 67.68.198.22 [40]MKD 031028014211p 550

Ok after a little research I've discovered the "_gpuser@home.com" user password is generated via the application called Grim's Ping. It's basically an application that port scans for FTP server with annoymous upload enabled. Technically it's not a hacker tool because there could be legitimate free public FTP servers, but really I can't see that being a reality. The reality is that it searches for misconfigured FTP servers. Once a user finds an open FTP server, you can bet it'll be used for warez, as mine was.

So that means really only the user at IP 81.60.105.239 really made a personal effort to connect to my FTP server. The others just used a free app. I suspect Mr./Ms. 81 actually used a similar application previously and simply had not realized I locked the FTP server down yet.

For the fun of it, here is where these lUsers came from:

IP: 217.82.245.135, ISP: Deutsche Telekom AG, Country: Germany, City: Unknown. The user is on dial-up

IP: 81.60.105.239, ISP: Retevision SA, Country: Spain, City: Madrid Not 100% certain about city

IP: 212.194.141.155, ISP: T-Online France - Club Internet, Country: France, City: Lost after Paris Sprint ISP

IP: 67.68.198.22, ISP: Bell Canada, Country: Canada, City: Toronto

Well that was fun. Time for bed. Night night.

No comments: