Re: FTP scans from wanadoo.fr

From: dr john halewood (johnat_private)
Date: Tue Dec 18 2001 - 02:49:51 PST

Next message: Alexandre Pinto: "Re: FTP scans from wanadoo.fr"

Previous message: Aaron Wolfe: "wanadoo.fr's ip blocks"
In reply to: Aaron Wolfe: "FTP scans from wanadoo.fr"
Next in thread: Alexandre Pinto: "Re: FTP scans from wanadoo.fr"
Reply: Alexandre Pinto: "Re: FTP scans from wanadoo.fr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There's a distinct pattern to these scans from wanadoo. Looking through some 
logs (I allow anonymous login but with read-only access on one box). I've 
noticed the following:
the anonymous login password: frequently [A-Z]gpuserat_private
an attempt to cd to some directories: /ftproot, /wwwroot, /_vti_bin, 
/_vti_cnf, /cgi-bin, amongst others: the pattern varies, but all requests 
take place within a second, so it's definitely scripted. This is followed by 
an attempt to create a number of directories with a name such as
011203022432p, where the first 6 digits are YYMMDD.

Anyone recognise the tool?

Cheers
john

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Alexandre Pinto: "Re: FTP scans from wanadoo.fr"
Previous message: Aaron Wolfe: "wanadoo.fr's ip blocks"
In reply to: Aaron Wolfe: "FTP scans from wanadoo.fr"
Next in thread: Alexandre Pinto: "Re: FTP scans from wanadoo.fr"
Reply: Alexandre Pinto: "Re: FTP scans from wanadoo.fr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 18 2001 - 10:18:44 PST