Looks like pubfind. This is an automated tool for scanning for "Pubs", It is windows based and quite effective at finding sites that allow anonymous write access. Some versions of it will automatically create a hard to find directory for warez storage and notify the person running the scan. -----Original Message----- From: Emil Popov [mailto:emoat_private] Sent: Monday, August 20, 2001 3:33 AM To: incidentsat_private Subject: annoying ftp probes Hi, I have been getting some annoying connections to my ftpd like: Aug 20 07:58:28 ds ftpd[7527]: connection from cc821361-d.vron1.nj.home.com Aug 20 07:58:29 ds ftpd[7527]: ANONYMOUS FTP LOGIN FROM cc821361-d.vron1.nj.home.com, guestat_private Aug 20 07:58:30 ds ftpd[7527]: mkdir 010820012936p Aug 19 06:37:34 ds ftpd[20081]: connection from ip-90-202.evc.net Aug 19 06:37:35 ds ftpd[20081]: ANONYMOUS FTP LOGIN FROM ip-90-202.evc.net, guestat_private Aug 19 06:37:36 ds ftpd[20081]: mkdir 010819061100p they are comming from various ISP's at random time intervals. I seems that this is some scanner that searches for world-writable ftp sites, and since those requests have been comming from *almost* random hosts, i am only able to cumulatively add whole isp domains to my hosts.deny. I added a responce line i.e. an instant nmap to those guys, and up to now my nmap resulted in scanning either the firewall of the isp, or a windows machine ( win :), they may soon get an automated dos if they keep on :)) ). So i presume it's i win tool. Any Idea what the tool is? Any Idea of a better defence (not that my site is world-writable but anyway..) Thanks p.s. There is very famous WarezFTP site in Bulgaria, and i see them getting those same (in format) directories created, so it really seems like a scanner that just goes aroung mkdir'ing. p.s.s Sorry for mentioning the un-masked hostnames, but i believe they deserve that. Emil Popov Primasoft Ltd. emoat_private ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 13:06:56 PDT