At 6/5/2002 01:40 AM, Iain Craig wrote: >Was wondering if anyone is aware of an IIS FTP server exploit that allows >an attacker the read/write access of a single given legimate user's >folders and also zeroes the log file? <snip> >There was a LOT of those, all very fast like a DoS attempt. Other >usernames I was seeing in a similar DoS fashion from the same time and IP >were Ogpuserat_private, Kgpuserat_private, and Lgpuserat_private > >Anyone know of a kiddie tool that uses these names? According to this message (http://archives.neohapsis.com/archives/snort/2002-04/0447.html): "This is the signature of Grim's Ping- a scanning tool that looks for FTP servers with directories that anonymous users can write to (In other words- new warez sites). The tool logs in as anonymous and authenticates with Xgpuserat_private (where X is any uppercase letter). It tries to find and write to commonly used FTP directories and reports successes to the attacker.." The tool can be downloaded from http://grimsping.cjb.net/. Michael Katz mikeat_private Procinct Security ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 05 2002 - 15:01:16 PDT