Re: FTP scans from wanadoo.fr - MOre info

From: Pieter-Bas IJdens (pbijdensat_private)
Date: Wed Dec 19 2001 - 03:15:59 PST

Next message: jesperhtat_private: "RE: RunAs weirdness..."

Previous message: Michael Wojcik: "Re: How to trace system level call in AIX"
In reply to: Replugge [Rod]: "Re: FTP scans from wanadoo.fr - MOre info"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> "USER ftp" 331 -
> "PASS mozilla@" 230 -
> "SITE EXEC %020d|%.f%.f|" 500 -
>
> Q: Have there been discovered any vulnerabilities affecting Microsoft's
> FTP Services? (If not we probably got a new one).
>
> that looks like some ftp vulnerability on IIS ... i downloaded some
> statics made by other users:
>
> Top 5:
>   1: t-dialin.net          (302 attempts, 30 hosts)
<<SNAP>>
>
> I believe this could be a mass defacement tool or perhaps we could be
> talking about a worm that infects IIS boxes (i don't think so)... lots
> of the people have been geting this scans since the beginning of
> October.

Yes. I remember posting these log entries and the top 5 to the dshield.org
mailing list on October 19th. Since then a lot has changed. A new version of
grim's ping has become available, and also recently I saw the exact same
patterns of these grims ping scans in my logs, but simultaneously from 10
different IPs (spoofed?).

The mass defacement tool or worm you are talking about AFAIK does not exist.
These scans are performed by people looking for weakly configured FTP
servers they can put their warez on. They don't particularly care about the
present content of the site and are careful not to disturb it because they
don't want to attract attention. They prefer FTP servers on Microsoft
systems because they tend to be badly configured and it's easy to hide their
stuff on it (http://www.xs4all.nl/~liew/startdivx/endofdeleters.txt). From
the ftp command logs I notice that all that is done usually is log in.
Rarely other commands are attempted, so I assume they just log the system
type and possible public access.

See http://pieter-bas.ijdens.com/logs/ftpconnects.txt for a full listing of
scanning IPs since the beginning of september, and
http://pieter-bas.ijdens.com/logs/ftp_full.txt.gz if you are interested to
see what these people try for commands on the scanned sites.

New stats (last ones were Oct 19 2001): t-dialin.net at 687 attempts,
wanadoo.fr at 164 attempts.

  Pieter-Bas







----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: jesperhtat_private: "RE: RunAs weirdness..."
Previous message: Michael Wojcik: "Re: How to trace system level call in AIX"
In reply to: Replugge [Rod]: "Re: FTP scans from wanadoo.fr - MOre info"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 19 2001 - 09:15:13 PST