Hi,

I got this in my log

Apr 23 10:15:48 mymachine wu.ftpd[13697]: connect from 62.2.87.42 (62.2.87.42) Apr 23 10:15:49 mymachine ftpd[13697]: USER anonymous Apr 23 10:15:49 mymachine ftpd[13697]: PASS guest@here.com Apr 23 10:15:49 mymachine ftpd[13697]: CWD /pub/ Apr 23 10:15:49 mymachine ftpd[13697]: MKD 010423101604p Apr 23 10:15:49 mymachine ftpd[13697]: CWD /public/ Apr 23 10:15:49 mymachine ftpd[13697]: CWD /pub/incoming/ Apr 23 10:15:50 mymachine ftpd[13697]: CWD /incoming/ Apr 23 10:15:50 mymachine ftpd[13697]: CWD /_vti_pvt/

That's a microsoft frontpage thing.

Apr 23 10:15:50 mymachine ftpd[13697]: CWD / Apr 23 10:15:50 mymachine ftpd[13697]: MKD 010423101605p Apr 23 10:15:50 mymachine ftpd[13697]: CWD /upload/

after which the person disappeared.

Is there an exploit here that I'm unaware of? I couldn't find anything on either cert.org of securityfocus.com. Or is it just someone looking for a place to store warez? Am I being paranoid? :)

Looks like the person was looking for vulnerable NT server and/or misconfigured frontpage setups on UNIX/NT.

Regards Anders

-Kurt