> the anonymous login password: frequently [A-Z]gpuserat_private > an attempt to cd to some directories: /ftproot, /wwwroot, /_vti_bin, > /_vti_cnf, /cgi-bin, amongst others: the pattern varies, but all requests > take place within a second, so it's definitely scripted. This is followed by > an attempt to create a number of directories with a name such as > 011203022432p, where the first 6 digits are YYMMDD. > > Anyone recognise the tool? That must be Grim's Ping (http://grimsping.cjb.net/). There was a discussion about attacks generated by this tool recently on other SecurityFocus lists (not sure if it was Vuln-Dev or Pen-Test). Cheers, Alexcp -- Alexandre Correia Pinto Desenvolvimento de Produto Cipher Technology http://www.ciphertech.com.br _____ "Segurança em TI - uma especialidade Cipher Technology" ----- Original Message ----- From: "dr john halewood" <johnat_private> To: <aaronat_private>; <incidentsat_private> Sent: Tuesday, December 18, 2001 8:49 AM Subject: Re: FTP scans from wanadoo.fr > There's a distinct pattern to these scans from wanadoo. Looking through some > logs (I allow anonymous login but with read-only access on one box). I've > noticed the following: > > Cheers > john > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 18 2001 - 10:50:44 PST