Anonymous Loggings

[StandardTool]

I have been noticing a few users as "anonymous" and "ftp" in our log files and then the word HELP at the command line, is this someone trying to exploit the system?

Eg. copy of the log


* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> 220-written by Tim Kosse (Tim.Kosse@gmx.de)
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> 220 Please visit http://sourceforge.net/projects/filezilla/
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> USER anonymous
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> 331 Password required for anonymous
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> PASS **********
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> 530 Login or password incorrect!
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> HELP
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> 214-The following commands are recognized:
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> USER PASS QUIT CWD PWD PORT PASV TYPE
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> LIST REST CDUP RETR STOR SIZE DELE RMD
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> MKD RNFR RNTO ABOR SYST NOOP APPE NLST
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> MDTM XPWD XCUP XMKD XRMD NOP EPSV EPRT
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> AUTH ADAT PBSZ PROT FEAT MODE OPTS HELP
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> ALLO MLST MLSD SITE P@SW STRU CLNT MFMT
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> HASH
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> 214 Have a nice day.
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> FEAT
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> 211-Features:
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> MDTM
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> REST STREAM
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> SIZE
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> MLST type*;size*;modify*;
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> MLSD
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> UTF8
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> CLNT
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> MFMT
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> 211 End
* 8/11/2016 8:54:09 AM - (not logged in) (IP REMOVED)> disconnected.

[StandardTool]

From todays logs.

(000356)8/19/2016 12:18:35 PM - (not logged in) (IP REMOVED)> Connected on port 21, sending welcome message...
(000356)8/19/2016 12:18:35 PM - (not logged in) (IP REMOVED)> USER ftp
(000356)8/19/2016 12:18:35 PM - (not logged in) (IP REMOVED)> 331 Password required for ftp
(000356)8/19/2016 12:18:36 PM - (not logged in) (IP REMOVED)> PASS ********
(000356)8/19/2016 12:18:36 PM - (not logged in) (IP REMOVED)> 530 Login or password incorrect!
(000356)8/19/2016 12:18:36 PM - (not logged in) (IP REMOVED)> disconnected.
(000357)8/19/2016 13:03:54 PM - (not logged in) (IP REMOVED)> Connected on port 21, sending welcome message...
(000357)8/19/2016 13:04:05 PM - (not logged in) (IP REMOVED)> disconnected.
(000358)8/19/2016 13:04:05 PM - (not logged in) (IP REMOVED)> Connected on port 21, sending welcome message...
(000358)8/19/2016 13:04:05 PM - (not logged in) (IP REMOVED)> HELP
(000358)8/19/2016 13:04:05 PM - (not logged in) (IP REMOVED)> 214-The following commands are recognized:
(000358)8/19/2016 13:04:05 PM - (not logged in) (IP REMOVED)> ABOR ADAT ALLO APPE AUTH CDUP CLNT CWD
(000358)8/19/2016 13:04:05 PM - (not logged in) (IP REMOVED)> DELE EPRT EPSV FEAT HASH HELP LIST MDTM
(000358)8/19/2016 13:04:05 PM - (not logged in) (IP REMOVED)> MFMT MKD MLSD MLST MODE NLST NOOP NOP
(000358)8/19/2016 13:04:05 PM - (not logged in) (IP REMOVED)> OPTS PASS PASV PBSZ PORT PROT PWD QUIT
(000358)8/19/2016 13:04:05 PM - (not logged in) (IP REMOVED)> REST RETR RMD RNFR RNTO SITE SIZE STOR
(000358)8/19/2016 13:04:05 PM - (not logged in) (IP REMOVED)> STRU SYST TYPE USER XCUP XCWD XMKD XPWD
(000358)8/19/2016 13:04:05 PM - (not logged in) (IP REMOVED)> XRMD
(000358)8/19/2016 13:04:05 PM - (not logged in) (IP REMOVED)> 214 Have a nice day.
(000358)8/19/2016 13:04:06 PM - (not logged in) (IP REMOVED)> disconnected.
(000359)8/19/2016 13:06:09 PM - (not logged in) (IP REMOVED)> Connected on port 21, sending welcome message...
(000359)8/19/2016 13:06:09 PM - (not logged in) (IP REMOVED)> USER ftp
(000359)8/19/2016 13:06:09 PM - (not logged in) (IP REMOVED)> 331 Password required for ftp
(000359)8/19/2016 13:06:09 PM - (not logged in) (IP REMOVED)> PASS ***************
(000359)8/19/2016 13:06:09 PM - (not logged in) (IP REMOVED)> 530 Login or password incorrect!
(000359)8/19/2016 13:06:10 PM - (not logged in) (IP REMOVED)> HELP
(000359)8/19/2016 13:06:10 PM - (not logged in) (IP REMOVED)> 214-The following commands are recognized:
(000359)8/19/2016 13:06:10 PM - (not logged in) (IP REMOVED)> ABOR ADAT ALLO APPE AUTH CDUP CLNT CWD
(000359)8/19/2016 13:06:10 PM - (not logged in) (IP REMOVED)> DELE EPRT EPSV FEAT HASH HELP LIST MDTM
(000359)8/19/2016 13:06:10 PM - (not logged in) (IP REMOVED)> MFMT MKD MLSD MLST MODE NLST NOOP NOP
(000359)8/19/2016 13:06:10 PM - (not logged in) (IP REMOVED)> OPTS PASS PASV PBSZ PORT PROT PWD QUIT
(000359)8/19/2016 13:06:10 PM - (not logged in) (IP REMOVED)> REST RETR RMD RNFR RNTO SITE SIZE STOR
(000359)8/19/2016 13:06:10 PM - (not logged in) (IP REMOVED)> STRU SYST TYPE USER XCUP XCWD XMKD XPWD
(000359)8/19/2016 13:06:10 PM - (not logged in) (IP REMOVED)> XRMD
(000359)8/19/2016 13:06:10 PM - (not logged in) (IP REMOVED)> 214 Have a nice day.
(000359)8/19/2016 13:06:11 PM - (not logged in) (IP REMOVED)> QUIT
(000359)8/19/2016 13:06:11 PM - (not logged in) (IP REMOVED)> 221 Goodbye
(000359)8/19/2016 13:06:11 PM - (not logged in) (IP REMOVED)> disconnected.

[botg]

Thank you for updating to the most recent version.

It looks like a random scan, there's nothing to worry about.

[boco]

Script kiddies searching for vulnerable IIS servers to get access to non-patched systems (MS IIS servers are usually integrated into the Windows user database).