At the moment I'm responsible for an ftp site which allows anonymous write access to a directory to allow development partners to upload files. They have also been hit with warez activity similar to FrogEater, which 1K and 1MB test files being uploaded, followed by various directories (.tmp, tagged, 010305102214p etc.) being created and warez uploaded. I wonder whether there is any way (perhaps using network/host ids signatures) to detect this sort of activity and block the intruding warez d00d, or at least alert a sysadmin? Any ideas? Richard Bartlett Hacker Immunity Ltd (I'm currently working on setting up permissions so the uploadable directories are execute only; i.e. you can't see it in dir/ls, but you can cd to it, and the dir names will be suitably obscure to prevent them being guessed). -----Original Message----- From: James W. Abendschan [mailto:jwaat_private] Sent: 12 May 2001 02:58 To: incidentsat_private Subject: Re: 'FrogEater' On Tue, 24 Apr 2001, James W. Abendschan wrote: > This is not a security incident as much as it's fingerprints of warez > d00d activity, but I was curious if anyone else has seen this tool. [ .. ] Well, while the general consensus was that this was not a tool, I'm still not convinced it wasn't something like Grim's Ping. ( http://grimsping.cjb.net/ ) Chris G. pointed me to a warez d00d discussion site where someone going by the handle of FrogEater hangs out: http://www.netknowledgebase.com/forum/bb_profile.php?mode=view&user=61 Someone else suggested using a FTP search engine instead of google to hunt for these things (doh!). While 'FrogEater' didn't show up, the '1MB.TEST' file did: http://www.ftpfind.com/search.php?query=1MB.TEST&method=iss&limdom=&limpath= &sort=date&ppage=500&x=23&y=4 .. the earliest seems to be 12 April 2000, but who knows how complete ftpfind.com is :-) warez.. sigh.. James
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 15:45:58 PDT