FTP hacker

FTP hacker
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Computer Software Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
FTP hacker Rick Merrill 09-18-2006
---> Re: FTP hacker David H. Lipman09-18-2006
| `--> Re: FTP hacker Rick Merrill09-19-2006
`--> Re: FTP hacker Rick Merrill09-19-2006
Posted by Rick Merrill on September 18, 2006, 6:59 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Do you think this is the guy who tried to get into my
FTP server?



Jay Schuster
Address:PO Box 422, Richmond, VT 05446
Phone:(802) 434-6609


http://www.fundrace.org/neighbors.php?type=name&lname=SCHUSTER&fname=JAMES&search=Search+by+Name




09/17/06 19:00:48 whois 75.10.91.73@whois.arin.net

whois -h whois.arin.net 75.10.91.73 ...
SBC Internet Services SBCIS-SBIS-6BLK (NET-75-0-0-0-1)
75.0.0.0 - 75.63.255.255
JAMES SCHUSTER ATTORNEY-060408021914 SBC07501009107229060408021942
(NET-75-10-91-72-1)
75.10.91.72 - 75.10.91.79

# ARIN WHOIS database, last updated 2006-09-16 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.



Aug 31 14:01:00 ImageServer905 /USR/SBIN/CRON[17520]: (root) CMD (
/var/cron/scripts/rotate_logs)
Aug 31 14:05:16 ImageServer905 proftpd[17606]: Proxy Initialized.
Aug 31 14:05:16 ImageServer905 proftpd[17606]: (ProxyEnable) Directive
Assigned (off).
Aug 31 14:05:16 ImageServer905 proftpd[17606]: (ProxyEnable) Directive
Assigned (on).
Aug 31 14:05:16 ImageServer905 proftpd[17606]: (ProxyControlPort)
Directive Assigned (36000).
Aug 31 14:05:16 ImageServer905 proftpd[17606]: (ProxyDataPort)
Directive Assigned (36036).
Aug 31 14:05:16 ImageServer905 proftpd[17606]: (ProxyHost) Directive
Assigned (127.0.0.1).
Aug 31 14:05:16 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - Proxy Session Initialized.
Aug 31 14:05:16 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - FTP session opened.
Aug 31 14:05:16 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - SIMPLE COMMAND (USER:anonymous) seen by
procesor
Aug 31 14:05:16 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - SIMPLE COMMAND (PASS:Qgpuser@home.com)
seen by procesor
Aug 31 14:05:16 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - no such group 'ftp'
Aug 31 14:05:16 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - ANON anonymous: Login successful.
Aug 31 14:05:16 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - Preparing to chroot() the environment,
path = '/data'
Aug 31 14:05:16 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - Environment successfully chroot()ed.
Aug 31 14:05:16 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - SIMPLE COMMAND (CWD:/) seen by procesor
Aug 31 14:05:16 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - sendCmd: CWD /
Aug 31 14:05:16 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - openFifos
Aug 31 14:05:16 ImageServer905 transfer: new ftp session: pid=17606
Aug 31 14:05:17 ImageServer905 transfer: FTP Cmd: CWD /
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - Handshake response=502: Proxy Command
Declined
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - SIMPLE COMMAND (CWD:/) redirected by
procesor
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - SIMPLE COMMAND (MKD:060831140355p) seen
by procesor
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - sendCmd: MKD 060831140355p
Aug 31 14:05:17 ImageServer905 transfer: FTP Cmd: MKD 060831140355p
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - Handshake response=502: Proxy Command
Declined
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - SIMPLE COMMAND (MKD:060831140355p)
redirected by procesor
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - SIMPLE COMMAND (CWD:/pub/) seen by
procesor
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - sendCmd: CWD /pub/
Aug 31 14:05:17 ImageServer905 transfer: FTP Cmd: CWD /pub/
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - Handshake response=502: Proxy Command
Declined
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - SIMPLE COMMAND (CWD:/pub/) redirected by
procesor
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - SIMPLE COMMAND (CWD:/public/) seen by
procesor
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - sendCmd: CWD /public/
Aug 31 14:05:17 ImageServer905 transfer: FTP Cmd: CWD /public/
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - Handshake response=502: Proxy Command
Declined
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - SIMPLE COMMAND (CWD:/public/) redirected
by procesor
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - SIMPLE COMMAND (CWD:/_vti_pvt/) seen by
procesor
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - sendCmd: CWD /_vti_pvt/
Aug 31 14:05:17 ImageServer905 transfer: FTP Cmd: CWD /_vti_pvt/
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - Handshake response=502: Proxy Command
Declined
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - SIMPLE COMMAND (CWD:/_vti_pvt/)
redirected by procesor
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - SIMPLE COMMAND (CWD:/_vti_txt/) seen by
procesor
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - sendCmd: CWD /_vti_txt/
Aug 31 14:05:17 ImageServer905 transfer: FTP Cmd: CWD /_vti_txt/
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - Handshake response=502: Proxy Command
Declined
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - SIMPLE COMMAND (CWD:/_vti_txt/)
redirected by procesor
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - SIMPLE COMMAND (CWD:/_vti_cfg/) seen by
procesor
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - sendCmd: CWD /_vti_cfg/
Aug 31 14:05:17 ImageServer905 transfer: FTP Cmd: CWD /_vti_cfg/
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - Handshake response=502: Proxy Command
Declined
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - SIMPLE COMMAND (CWD:/_vti_cfg/)
redirected by procesor
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - SIMPLE COMMAND (CWD:/_vti_log/) seen by
procesor
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - sendCmd: CWD /_vti_log/
Aug 31 14:05:17 ImageServer905 transfer: FTP Cmd: CWD /_vti_log/
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - Handshake response=502: Proxy Command
Declined
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - SIMPLE COMMAND (CWD:/_vti_log/)
redirected by procesor
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - Proxy Terminated.
Aug 31 14:05:17 ImageServer905 proftpd[17606]: ImageServer905
(75.10.91.73[75.10.91.73]) - FTP session closed.
Aug 31 14:05:17 ImageServer905 transfer: socket closed; port=10014

Posted by David H. Lipman on September 18, 2006, 7:13 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| Do you think this is the guy who tried to get into my
| FTP server?
|
| Jay Schuster
| Address:PO Box 422, Richmond, VT 05446
| Phone:(802) 434-6609
|
|
http://www.fundrace.org/neighbors.php?type=name&lname=SCHUSTER&fname=JAMES&search=Search+by+Name
|
| 09/17/06 19:00:48 whois 75.10.91.73@whois.arin.net
|
| whois -h whois.arin.net 75.10.91.73 ...
| SBC Internet Services SBCIS-SBIS-6BLK (NET-75-0-0-0-1)
| 75.0.0.0 - 75.63.255.255
| JAMES SCHUSTER ATTORNEY-060408021914 SBC07501009107229060408021942
| (NET-75-10-91-72-1)
| 75.10.91.72 - 75.10.91.79
|

< snip >

How do you connect Plano Texas to Richmond Vermont ?

If it isn't the same person, do you think it was a good idea to post the
person'a ddress and
phone number ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by Rick Merrill on September 19, 2006, 5:32 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I contacted the owner of the IP range and
he has taken steps to protect his system from
this exploit.

Thanks for cautioning me that the attorney might
be an innocent, not the hacker, as that was the case.




Posted by Todd H. on September 18, 2006, 9:38 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> Do you think this is the guy who tried to get into my
> FTP server?

An automated attack may have originated from one of the machines with
the IP block owned by him sure.

But could be the bored front office assistant surfing the net with an
unpatched Internet Explorer, or running without the latest Windows
Server update that got owned by a remote exploit, the machine is
infected and the machine is part of a bot net they don't even know
about.

Thousands of such machines on the internet. Not sure I'd be posting
attorney's address information and making accusations like that
without knowing more than you do.

Best Regards,
--
Todd H.
http://www.toddh.net/

Posted by Rick Merrill on September 19, 2006, 10:55 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Todd H. wrote:
>
>
>>Do you think this is the guy who tried to get into my
>>FTP server?
>
>
> An automated attack may have originated from one of the machines with
> the IP block owned by him sure.
>
> But could be the bored front office assistant surfing the net with an
> unpatched Internet Explorer, or running without the latest Windows
> Server update that got owned by a remote exploit, the machine is
> infected and the machine is part of a bot net they don't even know
> about.
>
> Thousands of such machines on the internet. Not sure I'd be posting
> attorney's address information and making accusations like that
> without knowing more than you do.
>
> Best Regards,


That's true - let'im sue me ;-)

I have found other people have had the same information.

Thanks for the scenario alternatives.


Similar ThreadsPosted
Hacker fears 'UFO cover-up' May 6, 2006, 12:17 pm
RE: Hacker on Internal Net: DHCP May 11, 2008, 10:06 pm
Certified Ethical Hacker, CHFI, LPT, ECSA November 7, 2006, 1:30 pm
HACKER FOUND GUILTY IN MASSIVE DATA THEFT CASE August 18, 2005, 1:00 pm

The site map in XML format XML site map

Contact Us | Privacy Policy