FW: Possible Hack Attempt? Sorry for the OT

.DL Helpdesk Mon, 17 Sep 2001 08:00:24 -0700


Dear all,

I'm not keen to give out too much information here but I'd appreciate your
input on what I can provide....

Scenario:

FTP Server running serv-u on nt4.0 sp6a
MS Proxy server 2.0  in same subnet as above

Our ftp logs today are showing 19 log in attempts from the proxy server
(excerpt below)

We have never had anyone log in in this manner and have never seen this in
the logs before.

I have now taken action to deny login attempts from this machine but am
still puzzled on how this could be possible from externally - obviously I
have checked to ensure that no one has used the proxy console to carry this
out.

Can anyone help here?

[5] Mon 17Sep01 12:21:40 - (000715) Connected to [INTERNAL IP OF PROXY]
(Local address [INTERNAL IP OF FTP SERVER])
[6] Mon 17Sep01 12:21:40 - (000715) 220-Serv-U FTP-Server v2.5f for WinSock
ready...
[6] Mon 17Sep01 12:21:40 - (000715)
220-*********************************************************
[6] Mon 17Sep01 12:21:40 - (000715) 220-*
*
[6] Mon 17Sep01 12:21:40 - (000715) 220-*         Welcome to the MY CORP FTP
Server         *
[6] Mon 17Sep01 12:21:40 - (000715) 220-*
*
[6] Mon 17Sep01 12:21:40 - (000715)
220-*********************************************************
[6] Mon 17Sep01 12:21:40 - (000715) 220-
[6] Mon 17Sep01 12:21:40 - (000715)
220-*********************************************************
[6] Mon 17Sep01 12:21:40 - (000715) 220-*
*
[6] Mon 17Sep01 12:21:40 - (000715) 220-*              Contact Telephone
Numbers                *
[6] Mon 17Sep01 12:21:40 - (000715) 220-*
*
[6] Mon 17Sep01 12:21:40 - (000715) 220-*    Access or Password Problems
999999999   *
[6] Mon 17Sep01 12:21:40 - (000715) 220-*       Account Management
9999999999          *
[6] Mon 17Sep01 12:21:40 - (000715) 220-*
*
[6] Mon 17Sep01 12:21:40 - (000715)
220-*********************************************************
[6] Mon 17Sep01 12:21:40 - (000715) 220-
[6] Mon 17Sep01 12:21:40 - (000715)
220-*********************************************************
[6] Mon 17Sep01 12:21:40 - (000715) 220-*
*
[6] Mon 17Sep01 12:21:40 - (000715) 220-* PLEASE NOTE ACCESS TO THIS FTP
SERVER IS STRICTLY     *
[6] Mon 17Sep01 12:21:40 - (000715) 220-* RESTRICTED TO THOSE AUTHORISED TO
USE THIS SERVICE    *
[6] Mon 17Sep01 12:21:40 - (000715) 220-* ACTIVTY ON THIS SERVICE IS
MONITORED                  *
[6] Mon 17Sep01 12:21:40 - (000715) 220-*
*
[6] Mon 17Sep01 12:21:40 - (000715) 220
*********************************************************
[5] Mon 17Sep01 12:21:40 - (000715) IP-Name: [NETBIOS NAME OF PROXY SERVER]
[2] Mon 17Sep01 12:21:40 - (000715) USER [USER NAME]
[6] Mon 17Sep01 12:21:40 - (000715) 331 User name okay, need password.
[2] Mon 17Sep01 12:21:40 - (000715) PASS xxxxx
[5] Mon 17Sep01 12:21:40 - (000715) User [USER NAME] logged in
[6] Mon 17Sep01 12:21:40 - (000715)
230-*********************************************************
[6] Mon 17Sep01 12:21:40 - (000715) 230-*
*
[6] Mon 17Sep01 12:21:40 - (000715) 230-*         MY CORP UK Welcomes
Automation User       *
[6] Mon 17Sep01 12:21:40 - (000715) 230-*
*
[6] Mon 17Sep01 12:21:40 - (000715)
230-*********************************************************
[6] Mon 17Sep01 12:21:40 - (000715) 230-
[6] Mon 17Sep01 12:21:40 - (000715) 230 User logged in, proceed.
[2] Mon 17Sep01 12:21:41 - (000715) CWD /DIR/DIR/DIR/FILENAME.csv
[6] Mon 17Sep01 12:21:41 - (000715) 550 /DIR/DIR/DIR/FILENAME.csv: No such
file or directory.
[2] Mon 17Sep01 12:21:41 - (000715) TYPE I
[6] Mon 17Sep01 12:21:41 - (000715) 200 Type set to I.
[2] Mon 17Sep01 12:21:41 - (000715) PORT [INTERNAL IP ADDRESS OF PROXY
SERVER],10,125
[6] Mon 17Sep01 12:21:41 - (000715) 200 PORT Command successful.
[2] Mon 17Sep01 12:21:41 - (000715) RETR /DIR/FILENAME.csv
[6] Mon 17Sep01 12:21:41 - (000715) 150 Opening BINARY mode data connection
for FILENAME.csv (50227 bytes).
[3] Mon 17Sep01 12:21:41 - (000715) Sending file d:\DIR\FILENAME.csv
[3] Mon 17Sep01 12:21:41 - (000715) Sent file d:\DIR\FILENAME.csv
successfully (85.8 Kb/sec - 50227 bytes)
[6] Mon 17Sep01 12:21:41 - (000715) 226-Maximum disk quota limited to 999999
Kbytes
[6] Mon 17Sep01 12:21:41 - (000715)     Used disk quota 20001 Kbytes,
available 979997 Kbytes
[6] Mon 17Sep01 12:21:41 - (000715) 226 Transfer complete.
[2] Mon 17Sep01 12:21:43 - (000715) QUIT

_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]
FW: Possible Hack Attempt? Sorry for the OT

Reply via email to
