Hi Matt and all, One of my Windows honeypots has logged this attack. I see both the ICMP datagrams having lower case letters reported by Matt Power and the upper case Es reported by James Slora. The tool succeeded in compromising the honeypot, presumably via the honeypot's weak (actually null) admin password. However, the attack might instead have capitalized on some IIS vulnerability, such as Web-DAV. I haven't found time to analyze the traffic or host in detail. The attacker established a ServU FTP server running on port 61337, identifying himself by the user ID xtahc. He provided the server with the following banner (please pardon the anticipated line wraps): mkd 10 mkd 11 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ !¡!¡!¡!¡!¡!¡!¡!¡ mkd 12 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡! [ Inf-alliance ] !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ mkd 13 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ !¡!¡!¡!¡!¡!¡!¡!¡ mkd 14 !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡! [ Games ] ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ mkd 15 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ [ Movies ] !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ mkd 16 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡! [ Appz ] !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ mkd 17 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ [ MP3's ] !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ mkd 18 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ !¡!¡!¡!¡!¡!¡!¡!¡ mkd 19 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡! [ Filled by ] !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ mkd 20 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ [ ©2003 Physix Productions ] !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ mkd 21 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ !¡!¡!¡!¡!¡!¡!¡!¡ mkd 22 Other information identified the compromised server as belonging to the OutpostFXP Pubstro community. I've been unable to learn more about that community. I can dig up other information if doing so would be helpful. But, I'm pretty jammed just now. Cheers, --------------------------------------------------- Bill McCarty ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Mon Mar 31 2003 - 16:02:31 PST