UFFF .. it seems like this people is looking for iis vulnerabilities all over the internet.. this look like some mass defacement tools. I remember a group called poizonb0x used some of those. at least now we know what they where looking for... i found some interesting stuff looking around. "USER ftp" 331 - "PASS mozilla@" 230 - "SITE EXEC %020d|%.f%.f|" 500 - Q: Have there been discovered any vulnerabilities affecting Microsoft's FTP Services? (If not we probably got a new one). that looks like some ftp vulnerability on IIS ... i downloaded some statics made by other users: Top 5: 1: t-dialin.net (302 attempts, 30 hosts) 2: unresolved (280 attempts) 3: wanadoo.fr (40 attempts, from 10 hosts) 4: aol.com (30 attempts, from 3 hosts) 5: telia.com (20 attempts from 1 host) I believe this could be a mass defacement tool or perhaps we could be talking about a worm that infects IIS boxes (i don't think so)... lots of the people have been geting this scans since the beginning of October. On Tue, 2001-12-18 at 11:49, dr john halewood wrote: > There's a distinct pattern to these scans from wanadoo. Looking through some > logs (I allow anonymous login but with read-only access on one box). I've > noticed the following: > the anonymous login password: frequently [A-Z]gpuserat_private > an attempt to cd to some directories: /ftproot, /wwwroot, /_vti_bin, > /_vti_cnf, /cgi-bin, amongst others: the pattern varies, but all requests > take place within a second, so it's definitely scripted. This is followed by > an attempt to create a number of directories with a name such as > 011203022432p, where the first 6 digits are YYMMDD. > > Anyone recognise the tool? > > Cheers > john > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > -- -- /* Rodrigo Gutierrez <rodrigoat_private> Trustix AS - http://www.trustix.com */ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 18 2001 - 13:09:16 PST