Dear Owen, The incidents you describe are caused by a popular cracker tool / well- known vulnerability scanner called "FX-Scanner". It indeed seems most popular in Germany. I was looking for it because I was noticing TCP:57 attempts for some time now in my (Linux) logs. A long Google search directed me to a message submitted by Johannes Ullrich at http://isc.incidents.org/show_comment.html?id=28 and finally to http://www.fx-tools.net In fact, the attack pattern of FX-Scanner V.030 beta is as follows: (1) One ping (ICMP) (2) If port 80 (http) is open, a large number of IIS-hacks. These are defined by a file called "unicode.txt" included in the package. This file contains 77 plain-text lines intended to exploit well known ISS "unicode" vulnerabilities. However, the cracker can modify this file at will, so expect some different patterns here. (3) Two attempts to TCP:57 (TCP port 57). According to Johannes Ullrich the reason to do this is because the port is normally CLOSED. (4) Three TCP:21 (ftp) attempts if closed. As said, I don't run ftpd's so I don't know what would happen if ftpd runs. However, the fx-scanner V.030 beta package includes the following file: 07/07/02 07:40p 104,154 file.txt 9a5c9475663ad6dcf53f42446972a7b1 *file.txt so probably that file is planted using user-specified or random names; contents are binary crap as you describe. The file "scanner.ini" also included contains the following lines (among others): ftp_Uname=anonymous ftp_UPassword=anoat_private ftp_Port=21 I played around with the tool a bit on a WXP testsetup (no network cable) while listening on TCP:57 using NETCAT and confirmed that indeed fx-scanner connects to the port mentioned. Please note: running such a program against a public net is simply NOT DONE and hopefully/probably illegal. If you consider (don't) to do just that, note that the tool is remotely controllable; it listens to TCP port 4113 and uses the default password "fxadmin" (both are variables in the ini file). It may also include other, unspecified, backdoors. Although I did not monitor behavior using a sniffer, the "Ring_Server=True" line in the ini-file suggests that fx-scanner may call home when run (it could also be the ping though). The remote control program is included in the package. BTW I wouldn't be surprised if the number of German badguys using this tool is significantly less than one may think. Blackhats may have found ways to install this tool on PC's from innocent (but clueless) T-Online dialup/ADSL users (perhaps via KaZaa or whatever), and are controlling them remotely. The blackhats may be Germans, but obviously that is not necessarily the case. However, I'm purely speculating here. Cheers! Erik van Straten ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 12 2002 - 14:39:06 PST