> "USER ftp" 331 - > "PASS mozilla@" 230 - > "SITE EXEC %020d|%.f%.f|" 500 - > > Q: Have there been discovered any vulnerabilities affecting Microsoft's > FTP Services? (If not we probably got a new one). > > that looks like some ftp vulnerability on IIS ... i downloaded some > statics made by other users: > > Top 5: > 1: t-dialin.net (302 attempts, 30 hosts) <<SNAP>> > > I believe this could be a mass defacement tool or perhaps we could be > talking about a worm that infects IIS boxes (i don't think so)... lots > of the people have been geting this scans since the beginning of > October. Yes. I remember posting these log entries and the top 5 to the dshield.org mailing list on October 19th. Since then a lot has changed. A new version of grim's ping has become available, and also recently I saw the exact same patterns of these grims ping scans in my logs, but simultaneously from 10 different IPs (spoofed?). The mass defacement tool or worm you are talking about AFAIK does not exist. These scans are performed by people looking for weakly configured FTP servers they can put their warez on. They don't particularly care about the present content of the site and are careful not to disturb it because they don't want to attract attention. They prefer FTP servers on Microsoft systems because they tend to be badly configured and it's easy to hide their stuff on it (http://www.xs4all.nl/~liew/startdivx/endofdeleters.txt). From the ftp command logs I notice that all that is done usually is log in. Rarely other commands are attempted, so I assume they just log the system type and possible public access. See http://pieter-bas.ijdens.com/logs/ftpconnects.txt for a full listing of scanning IPs since the beginning of september, and http://pieter-bas.ijdens.com/logs/ftp_full.txt.gz if you are interested to see what these people try for commands on the scanned sites. New stats (last ones were Oct 19 2001): t-dialin.net at 687 attempts, wanadoo.fr at 164 attempts. Pieter-Bas ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 19 2001 - 09:15:13 PST