> I have seen some interesting access on a few anonymous ftp servers
> logs.
>
> The following sequence occurs:
> 1) The user logs on anonymously with the username anoat_private
> 2) user transfers a repeating binary file XXX.XXX where the X is a digit
> (e.g. 471.995)
> the file has a repeating pattern to it.
> the file size is: 104154 (bytes)
> file name was: 471.995 (maybe a sequencing number for reassembly...)
>
I have been seeing the same thing since August.
A couple of additional interesting facts:
-- they sometimes leave 2 or 3 files with different names
-- the name format is sometimes X.XX, XX.XX, XX.XXX
(and other permutations)
-- the md5sum is ALWAYS 9a5c9475663ad6dcf53f42446972a7b1
so its the same file with different names.
(except one time where the file size was 250000 bytes
and the md5sum was a155cf69d10d449bc1f2933330f9c5a5).
-- there are other origins besides t-dialin.net:
cox.net
rr.com
wanadoo.fr
qdsl-home.de
ipt.aol.com
(but the user always uses anoat_private )
Skip
--
Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647
Taygeta Scientific Inc. INTERNET: skipat_private
1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com
Monterey, CA. 93940
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Nov 07 2002 - 08:55:28 PST