RE: FTP scans from wanadoo.fr

From: Barber, Chris (cbarberat_private)
Date: Tue Dec 18 2001 - 10:24:52 PST

  • Next message: Erik Fichtner: "Re: wanadoo.fr's ip blocks"

    I have just looked at the few samples that have appeared here but it also
    looks as if the last 6 digits (exclude the "p") may also be a time HHMMSS
    and the "p" might indicate PM.
    
    Chris.
    
    -----Original Message-----
    From: dr john halewood [mailto:johnat_private]
    Sent: Tuesday, December 18, 2001 5:50 AM
    To: aaronat_private; incidentsat_private
    Subject: Re: FTP scans from wanadoo.fr
    
    
    There's a distinct pattern to these scans from wanadoo. Looking through some
    
    logs (I allow anonymous login but with read-only access on one box). I've 
    noticed the following:
    the anonymous login password: frequently [A-Z]gpuserat_private
    an attempt to cd to some directories: /ftproot, /wwwroot, /_vti_bin, 
    /_vti_cnf, /cgi-bin, amongst others: the pattern varies, but all requests 
    take place within a second, so it's definitely scripted. This is followed by
    
    an attempt to create a number of directories with a name such as
    011203022432p, where the first 6 digits are YYMMDD.
    
    Anyone recognise the tool?
    
    Cheers
    john
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Dec 18 2001 - 10:57:16 PST