> At the moment I'm responsible for an ftp site which allows anonymous write > access to a directory to allow development partners to upload files. They > have also been hit with warez activity similar to FrogEater, which 1K and > 1MB test files being uploaded, followed by various directories (.tmp, > tagged, 010305102214p etc.) being created and warez uploaded. I wonder > whether there is any way (perhaps using network/host ids signatures) to > detect this sort of activity and block the intruding warez d00d, or at least > alert a sysadmin? I was running a similar site; it allowed anon upload but not download. I had lots of warez activity, the tools creating directories, and the occasional d00d uploading before he realized he couldn't download again. I finally configured my FTP daemon to log all commands and ran 'tail -f log | program' where program looked for suspicious commands ('STOR 1mb', 'PASS l33ch', etc. etc.) When it got a match it dropped the offender into ipchains. The amount of time I spent cleaning up after them dropped dramatically. Unfortunately, I don't know of any FTP daemons that will do this on their own. It would be a nice way to shut out the automated tools. -- gowen -- Greg Owen -- gowenat_private 79A7 4063 96B6 9974 86CA 3BEF 521C 860F 5A93 D66D
This archive was generated by hypermail 2b30 : Thu May 17 2001 - 13:11:02 PDT