Our honeypot was compromised this weekend following the exact same activity. I haven't taken the time yet to do a forensic analysis of the box, and may not bother. I do know that the breach was via buffer overflows in wu-ftpd (unpatched). More detailed info may follow. Keith T. Morgan Chief of Information Security Terradon Communications keith.morganat_private 304-755-8291 x142 > -----Original Message----- > From: Ingersoll, Jared [mailto:JIngersollat_private] > Sent: Wednesday, May 30, 2001 8:18 AM > To: 'CL: Nelson, Jeff'; 'FOCUS-MSat_private' > Cc: incidentsat_private > Subject: RE: Identify Method > > > Jeff, > > I found the same attempt was made on some of our systems. I > first noticed a > scan > in our firewall logs last Tuesday or Wednesday (5/22-5/23). After ftp > service was detected, a login attempt was made by anonymous > with password > guestat_private We have no need for anonymous login and our > servers are > patched up to the latest security patch, so I didn't worry, > just made note. > I just assumed it was someone looking for anonymous ftp > servers. However, > given your information below, I beginning to suspect that it may be > something more malicious. Perhaps it is just a program > looking for anonymous > ftp, but why try and created an *.asp file? Anyone else have > some input? > > Jared > -----Original Message----- > From: CL: Nelson, Jeff [mailto:JNelsonat_private] > Sent: Tuesday, May 29, 2001 10:28 AM > To: 'FOCUS-MSat_private' > Subject: Identify Method > > > Good day, > > Time to admit complete ignorance here. Some person created several > directories in _vti_pvt. I've tried to replicate what I have > in my IIS logs > to no avail. Here is what I see: > > USER anonymous 331 > PASS anonymousat_private 230 > MKD /_vti_pvt/+.+tagged+4+SWAA 257 > QUIT - 257 > > Then another 14 minutes later: > > USER anonymous 331 > PASS guestat_private 230 > created /1kbtest.ptf 250 > DELE /1kbtest 250 > created /space.asp 226 > DELE /space.asp 250 > > First, what is going on? How were they able to do this? When > I try I get an > error stating path cannot be found. > > Second, (and I think I've asked this before) is there a > resource that goes > in-depth to what is taking place? Most of the material I have > is for Unix > systems, not IIS. > > Regards, > > Jeff > > Jeffrey L. Nelson > Network Manager; Cleveland Motion Controls > jnelsonat_private; 216-642-5147 > ---- > "The musical notes are only five in number but their melodies, are so > numerous that one cannot visualize them all." -- Sun Tzu >
This archive was generated by hypermail 2b30 : Wed May 30 2001 - 15:32:26 PDT