Jeff, I found the same attempt was made on some of our systems. I first noticed a scan in our firewall logs last Tuesday or Wednesday (5/22-5/23). After ftp service was detected, a login attempt was made by anonymous with password guestat_private We have no need for anonymous login and our servers are patched up to the latest security patch, so I didn't worry, just made note. I just assumed it was someone looking for anonymous ftp servers. However, given your information below, I beginning to suspect that it may be something more malicious. Perhaps it is just a program looking for anonymous ftp, but why try and created an *.asp file? Anyone else have some input? Jared -----Original Message----- From: CL: Nelson, Jeff [mailto:JNelsonat_private] Sent: Tuesday, May 29, 2001 10:28 AM To: 'FOCUS-MSat_private' Subject: Identify Method Good day, Time to admit complete ignorance here. Some person created several directories in _vti_pvt. I've tried to replicate what I have in my IIS logs to no avail. Here is what I see: USER anonymous 331 PASS anonymousat_private 230 MKD /_vti_pvt/+.+tagged+4+SWAA 257 QUIT - 257 Then another 14 minutes later: USER anonymous 331 PASS guestat_private 230 created /1kbtest.ptf 250 DELE /1kbtest 250 created /space.asp 226 DELE /space.asp 250 First, what is going on? How were they able to do this? When I try I get an error stating path cannot be found. Second, (and I think I've asked this before) is there a resource that goes in-depth to what is taking place? Most of the material I have is for Unix systems, not IIS. Regards, Jeff Jeffrey L. Nelson Network Manager; Cleveland Motion Controls jnelsonat_private; 216-642-5147 ---- "The musical notes are only five in number but their melodies, are so numerous that one cannot visualize them all." -- Sun Tzu
This archive was generated by hypermail 2b30 : Wed May 30 2001 - 08:21:16 PDT