RE: 'FrogEater'

From: Benninghoff, John (JABenninghoffat_private)
Date: Fri May 18 2001 - 08:45:31 PDT

Next message: Jens Hektor: "Re: Strange email"

Previous message: james.s.kahanat_private: "Re: Strange email"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

wu-ftpd (http://www.wuftpd.org) supports upload-only directories that don't
allow directory creation (MKD). The site has a HOWTO on how to configure
this properly.

If you use OpenBSD, there are patches to the OBSD ftpd at
http://www.zzlevo.net/ftpd/ that provide even greater control over which FTP
commands users can use.

-----Original Message-----
From: Richard Bartlett [mailto:richardat_private]
Sent: Wednesday, May 16, 2001 10:21 AM
To: James W. Abendschan; incidentsat_private
Subject: RE: 'FrogEater'

At the moment I'm responsible for an ftp site which allows anonymous write
access to a directory to allow development partners to upload files.  They
have also been hit with warez activity similar to FrogEater, which 1K and
1MB test files being uploaded, followed by various directories (.tmp,
tagged, 010305102214p etc.) being created and warez uploaded.  I wonder
whether there is any way (perhaps using network/host ids signatures) to
detect this sort of activity and block the intruding warez d00d, or at least
alert a sysadmin?

Any ideas?

Richard Bartlett
Hacker Immunity Ltd

(I'm currently working on setting up permissions so the uploadable
directories are execute only; i.e. you can't see it in dir/ls, but you can
cd to it, and the dir names will be suitably obscure to prevent them being
guessed).

-----Original Message-----
From: James W. Abendschan [mailto:jwaat_private]
Sent: 12 May 2001 02:58
To: incidentsat_private
Subject: Re: 'FrogEater'

On Tue, 24 Apr 2001, James W. Abendschan wrote:
> This is not a security incident as much as it's fingerprints of warez
> d00d activity, but I was curious if anyone else has seen this tool.

[ .. ]

Well, while the general consensus was that this was not a tool,
I'm still not convinced it wasn't something like Grim's Ping.
( http://grimsping.cjb.net/ )

Chris G. pointed me to a warez d00d discussion site where someone going
by the handle of FrogEater hangs out:

  http://www.netknowledgebase.com/forum/bb_profile.php?mode=view&user=61

Someone else suggested using a FTP search engine instead of google
to hunt for these things (doh!).  While 'FrogEater' didn't show up,
the '1MB.TEST' file did:

http://www.ftpfind.com/search.php?query=1MB.TEST&method=iss&limdom=&limpath=
&sort=date&ppage=500&x=23&y=4

.. the earliest seems to be 12 April 2000, but who knows how complete
ftpfind.com is :-)

warez.. sigh..

James

Next message: Jens Hektor: "Re: Strange email"
Previous message: james.s.kahanat_private: "Re: Strange email"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 18 2001 - 08:46:21 PDT