Re: FTP scans from wanadoo.fr

From: dr john halewood (johnat_private)
Date: Tue Dec 18 2001 - 02:49:51 PST

  • Next message: Alexandre Pinto: "Re: FTP scans from wanadoo.fr"

    There's a distinct pattern to these scans from wanadoo. Looking through some 
    logs (I allow anonymous login but with read-only access on one box). I've 
    noticed the following:
    the anonymous login password: frequently [A-Z]gpuserat_private
    an attempt to cd to some directories: /ftproot, /wwwroot, /_vti_bin, 
    /_vti_cnf, /cgi-bin, amongst others: the pattern varies, but all requests 
    take place within a second, so it's definitely scripted. This is followed by 
    an attempt to create a number of directories with a name such as
    011203022432p, where the first 6 digits are YYMMDD.
    
    Anyone recognise the tool?
    
    Cheers
    john
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Dec 18 2001 - 10:18:44 PST