RE: Identify Method

From: Bobby, Paul (paul.bobbyat_private)
Date: Wed May 30 2001 - 10:34:09 PDT

Next message: Joris De Donder: "Re[2]: Identify Method"

Previous message: James Edwards: "Dummies got a sample page"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

What was noticed in my environment is that the source (both times
occured)was from Germany. The tool logged in via anonymous ftp and tried the
following:

cd /pub
cd /public
cd /pub/incoming
cd /incoming
cd /_vti_pvt
cd /
mkd 010528203204p
cd /upload

not successful, so I didn't see what would happen if those directories did
exist.

-----Original Message-----
From: Ingersoll, Jared [mailto:JIngersollat_private]
Sent: Wednesday, May 30, 2001 8:18 AM
To: 'CL: Nelson, Jeff'; 'FOCUS-MSat_private'
Cc: incidentsat_private
Subject: RE: Identify Method


Jeff,

I found the same attempt was made on some of our systems. I first noticed a
scan
in our firewall logs last Tuesday or Wednesday (5/22-5/23). After ftp
service was detected, a login attempt was made by anonymous with password
guestat_private We have no need for anonymous login and our servers are
patched up to the latest security patch, so I didn't worry, just made note.
I just assumed it was someone looking for anonymous ftp servers. However,
given your information below, I beginning to suspect that it may be
something more malicious. Perhaps it is just a program looking for anonymous
ftp, but why try and created an *.asp file? Anyone else have some input?

Jared
-----Original Message-----
From: CL: Nelson, Jeff [mailto:JNelsonat_private]
Sent: Tuesday, May 29, 2001 10:28 AM
To: 'FOCUS-MSat_private'
Subject: Identify Method


Good day,

Time to admit complete ignorance here. Some person created several
directories in _vti_pvt. I've tried to replicate what I have in my IIS logs
to no avail. Here is what I see:

USER	anonymous	331
PASS	anonymousat_private	230
MKD	/_vti_pvt/+.+tagged+4+SWAA	257
QUIT	-	257

Then another 14 minutes later:

USER anonymous 331
PASS guestat_private 230
created /1kbtest.ptf 250
DELE /1kbtest 250
created /space.asp 226
DELE /space.asp 250

First, what is going on? How were they able to do this? When I try I get an
error stating path cannot be found.

Second, (and I think I've asked this before) is there a resource that goes
in-depth to what is taking place? Most of the material I have is for Unix
systems, not IIS.

Regards,

Jeff

Jeffrey L. Nelson
Network Manager; Cleveland Motion Controls
jnelsonat_private; 216-642-5147
----
"The musical notes are only five in number but their melodies, are so
numerous that one cannot visualize them all."   -- Sun Tzu

Next message: Joris De Donder: "Re[2]: Identify Method"
Previous message: James Edwards: "Dummies got a sample page"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 30 2001 - 16:39:04 PDT