This is not a security incident as much as it's fingerprints of warez d00d activity, but I was curious if anyone else has seen this tool. I found the following directories in the FTP root of an NT box: 03-31-01 01:05AM <DIR> 04-08-01 12:34PM <DIR> .tmp 03-31-01 12:33AM <DIR> .FrogEater 03-26-01 05:16AM 1000000 1 Mo 01-02-01 12:05AM 1000000 1.mb.zip 03-30-01 10:26PM 1000000 1000k 03-30-01 11:22PM 1000000 1MB.Test 03-26-01 05:17AM <DIR> FrogEater 04-08-01 12:34PM <DIR> TAGGED FrogE This looks much like the result of an automated tool that checks for anonymous / world-writable FTP directories. I assume the 1000000 byte files are attempts to figure out the link speed and / or disk quotas .. ? The '.tmp' directory is actually named '.tmp '. A google search only turned up one useful link, which is in turn a link to another "frogeaten" site. http://www.google.com/search?q=cache:kotisivu.raketti.net/jari77v/index4.htm+frogeater&hl=en James
This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 08:04:23 PDT