I'm running logwatch and there I've seen some strange activity.
There are two different ip adresses (I'll call this guy hacker) where it seems they logged in successfully through vsdftpd: hacker's IP 1: 91.121.106.53
vsftpd.log.1:Tue Feb 19 20:46:18 2013 [pid 24450] CONNECT: Client "91.121.106.53"
vsftpd.log.1:Tue Feb 19 20:46:18 2013 [pid 24449] [public] OK LOGIN: Client "91.121.106.53"
vsftpd.log.1:Tue Feb 19 20:46:18 2013 [pid 24451] [public] OK UPLOAD: Client "91.121.106.53", "//1c.php", 23 bytes, 0.51Kbyte/sec
vsftpd.log.1:Tue Feb 19 20:46:18 2013 [pid 24451] [public] OK DELETE: Client "91.121.106.53", "//1c.php"
vsftpd.log.1:Wed Feb 20 03:21:59 2013 [pid 3610] CONNECT: Client "91.121.106.53"
vsftpd.log.1:Wed Feb 20 03:21:59 2013 [pid 3609] [webcam] OK LOGIN: Client "91.121.106.53"
vsftpd.log.1:Wed Feb 20 03:40:20 2013 [pid 3897] CONNECT: Client "91.121.106.53"
vsftpd.log.1:Wed Feb 20 03:40:20 2013 [pid 3896] [public] OK LOGIN: Client "91.121.106.53"
And hacker's IP 2: 72.52.172.4
vsftpd.log.1:Sun Feb 17 09:36:00 2013 [pid 20290] CONNECT: Client "72.52.172.4"
vsftpd.log.1:Sun Feb 17 09:36:02 2013 [pid 20289] [MyUserName] FAIL LOGIN: Client "72.52.172.4"
vsftpd.log.1:Sun Feb 17 09:45:23 2013 [pid 20404] CONNECT: Client "72.52.172.4"
vsftpd.log.1:Sun Feb 17 09:45:23 2013 [pid 20403] [webcam] OK LOGIN: Client "72.52.172.4"
vsftpd.log.1:Sun Feb 17 10:03:04 2013 [pid 21690] CONNECT: Client "72.52.172.4"
vsftpd.log.1:Sun Feb 17 10:03:05 2013 [pid 21689] [public] OK LOGIN: Client "72.52.172.4"
vsftpd.log.1:Mon Feb 18 02:09:29 2013 [pid 17459] CONNECT: Client "72.52.172.4"
vsftpd.log.1:Mon Feb 18 02:09:29 2013 [pid 17458] [public] OK LOGIN: Client "72.52.172.4"
vsftpd.log.1:Mon Feb 18 03:09:40 2013 [pid 18426] CONNECT: Client "72.52.172.4"
vsftpd.log.1:Mon Feb 18 03:09:41 2013 [pid 18425] [webcam] OK LOGIN: Client "72.52.172.4"
The only user which currently uses FTP is the webcam user which is a script.
The next strange thing is, that the hacker knew exactly, which users exist. As you can see here, the other hackers normally try 'anonymous' and that's it:
vsftpd.log:Sun Feb 24 11:16:17 2013 [pid 26192] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log:Sun Feb 24 11:16:20 2013 [pid 26194] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.1:Sun Feb 17 08:34:52 2013 [pid 18379] [anonymous] FAIL LOGIN: Client "66.249.76.54"
vsftpd.log.1:Sun Feb 17 08:34:55 2013 [pid 18381] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.1:Sun Feb 17 09:36:02 2013 [pid 20289] [MyUserName] FAIL LOGIN: Client "72.52.172.4"
vsftpd.log.1:Mon Feb 18 14:41:28 2013 [pid 5601] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.1:Mon Feb 18 14:41:31 2013 [pid 5604] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.1:Mon Feb 18 16:01:54 2013 [pid 7801] [anonymous] FAIL LOGIN: Client "69.162.83.5"
vsftpd.log.1:Tue Feb 19 16:13:10 2013 [pid 16375] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.1:Tue Feb 19 16:13:13 2013 [pid 16377] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.1:Wed Feb 20 15:08:44 2013 [pid 23754] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.1:Wed Feb 20 15:08:46 2013 [pid 23756] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.1:Thu Feb 21 18:09:50 2013 [pid 5589] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.1:Thu Feb 21 18:09:52 2013 [pid 5591] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.2:Sun Feb 10 11:41:42 2013 [pid 26587] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.2:Sun Feb 10 11:41:45 2013 [pid 26589] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.2:Mon Feb 11 06:15:10 2013 [pid 26421] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.2:Thu Feb 14 17:05:30 2013 [pid 8180] [anonymous] FAIL LOGIN: Client "66.249.76.54"
vsftpd.log.2:Thu Feb 14 17:05:34 2013 [pid 8182] [anonymous] FAIL LOGIN: Client "66.249.76.54"
vsftpd.log.2:Fri Feb 15 02:36:18 2013 [pid 24301] [anonymous] FAIL LOGIN: Client "66.249.76.54"
vsftpd.log.2:Fri Feb 15 18:36:11 2013 [pid 19947] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.2:Fri Feb 15 18:36:14 2013 [pid 19954] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.2:Sat Feb 16 08:07:01 2013 [pid 9810] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.3:Sun Feb 3 17:27:32 2013 [pid 7448] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.3:Sun Feb 3 17:27:36 2013 [pid 7450] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.3:Mon Feb 4 11:28:34 2013 [pid 5688] [anonymous] FAIL LOGIN: Client "66.249.75.54"
vsftpd.log.3:Tue Feb 5 04:53:02 2013 [pid 3520] [anonymous] FAIL LOGIN: Client "66.249.76.54"
vsftpd.log.3:Tue Feb 5 04:53:05 2013 [pid 3522] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.3:Wed Feb 6 23:08:28 2013 [pid 13439] [anonymous] FAIL LOGIN: Client "66.249.75.54"
vsftpd.log.3:Wed Feb 6 23:08:32 2013 [pid 13441] [anonymous] FAIL LOGIN: Client "66.249.75.54"
vsftpd.log.3:Thu Feb 7 18:09:10 2013 [pid 13644] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.3:Thu Feb 7 18:09:14 2013 [pid 13646] [anonymous] FAIL LOGIN: Client "66.249.75.54"
vsftpd.log.3:Fri Feb 8 12:22:41 2013 [pid 11563] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.3:Fri Feb 8 12:22:44 2013 [pid 11565] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.3:Sat Feb 9 06:37:37 2013 [pid 9738] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.3:Sat Feb 9 06:37:40 2013 [pid 9744] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.4:Mon Jan 28 08:50:29 2013 [pid 30389] [anonymous] FAIL LOGIN: Client "66.249.76.54"
vsftpd.log.4:Mon Jan 28 08:50:32 2013 [pid 30392] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.4:Tue Jan 29 12:56:26 2013 [pid 15682] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.4:Tue Jan 29 12:56:29 2013 [pid 15684] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.4:Wed Jan 30 10:43:11 2013 [pid 21831] [anonymous] FAIL LOGIN: Client "66.249.75.54"
vsftpd.log.4:Wed Jan 30 10:43:15 2013 [pid 21833] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.4:Fri Feb 1 00:07:50 2013 [pid 22202] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.4:Fri Feb 1 00:07:53 2013 [pid 22204] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.4:Fri Feb 1 11:40:15 2013 [pid 9412] [anonymous] FAIL LOGIN: Client "66.249.76.54"
vsftpd.log.4:Sat Feb 2 15:03:42 2013 [pid 25912] [anonymous] FAIL LOGIN: Client "66.249.78.54"
vsftpd.log.4:Sat Feb 2 15:03:46 2013 [pid 25914] [anonymous] FAIL LOGIN: Client "66.249.78.54"
So how is it possible that the the hacker knew exactly the only three existing users (public, webcam, MyUserName) which exist on vsftpd and was able to log in with public and webcam?
My server is a virtual hosted server in Germany with Ubuntu Server Ubuntu 10.04.4 LTS with vsftpd version 2.2.2 (yes, I know that this version is old, I'll update it immediately)
The only possibilities I can think of is:
- Package sniffing: The hacker sniffed the connection of the server, but I've used the public user only once two years ago thus there Is no possibility that the hacker knew this user name. (SFTP wasn't forced, but it've forced it from now on)
- Brute force:
The default options
max_login_fails=3anddelay_failed_login=1should prevent this. I've now added them explicitly to the configuration of vsftpd. - Backdoor in vsftpd: how can I analyze this?
I'll now restrict the access to the IP address of the script (because only this needs FTP, there are no other users).
Would be nice if you can give me some tips on how I can analyze this problem (how was it possible for the hacker to login).
Thanks!
It seems your hacker connected and installed a script.
Once this happens, you might assume that he can gather info on your user accounts via vsftp config, passwd, shadow, etc. What does your auth and syslog tell you at the times of the attacks?