Re: 'FrogEater'

From: Greg Owen (gowenat_private)
Date: Wed May 16 2001 - 17:28:33 PDT

  • Next message: Matthew.Timat_private: "RE: 'FrogEater'"

    > At the moment I'm responsible for an ftp site which allows anonymous write
    > access to a directory to allow development partners to upload files.  They
    > have also been hit with warez activity similar to FrogEater, which 1K and
    > 1MB test files being uploaded, followed by various directories (.tmp,
    > tagged, 010305102214p etc.) being created and warez uploaded.  I wonder
    > whether there is any way (perhaps using network/host ids signatures) to
    > detect this sort of activity and block the intruding warez d00d, or at
    least
    > alert a sysadmin?
    
        I was running a similar site; it allowed anon upload but not download.
    I had lots of warez activity, the tools creating directories, and the
    occasional d00d uploading before he realized he couldn't download again.  I
    finally configured my FTP daemon to log all commands and ran 'tail -f log |
    program' where program looked for suspicious commands ('STOR 1mb', 'PASS
    l33ch', etc. etc.)  When it got a match it dropped the offender into
    ipchains.  The amount of time I spent cleaning up after them dropped
    dramatically.
    
        Unfortunately, I don't know of any FTP daemons that will do this on
    their own.  It would be a nice way to shut out the automated tools.
    
    --
            gowen -- Greg Owen -- gowenat_private
            79A7 4063 96B6 9974 86CA  3BEF 521C 860F 5A93 D66D
    



    This archive was generated by hypermail 2b30 : Thu May 17 2001 - 13:11:02 PDT