I have just looked at the few samples that have appeared here but it also looks as if the last 6 digits (exclude the "p") may also be a time HHMMSS and the "p" might indicate PM. Chris. -----Original Message----- From: dr john halewood [mailto:johnat_private] Sent: Tuesday, December 18, 2001 5:50 AM To: aaronat_private; incidentsat_private Subject: Re: FTP scans from wanadoo.fr There's a distinct pattern to these scans from wanadoo. Looking through some logs (I allow anonymous login but with read-only access on one box). I've noticed the following: the anonymous login password: frequently [A-Z]gpuserat_private an attempt to cd to some directories: /ftproot, /wwwroot, /_vti_bin, /_vti_cnf, /cgi-bin, amongst others: the pattern varies, but all requests take place within a second, so it's definitely scripted. This is followed by an attempt to create a number of directories with a name such as 011203022432p, where the first 6 digits are YYMMDD. Anyone recognise the tool? Cheers john ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 18 2001 - 10:57:16 PST