Security Incidents mailing list archives

RE: annoying ftp probes

From: "Mark Villanova" <mark () readylinkhealthcare net>
Date: Mon, 20 Aug 2001 12:28:00 -0700

Looks like pubfind.  This is an automated tool for scanning for "Pubs",
It is windows based and quite effective at finding sites that allow
anonymous write access.  Some versions of it will automatically create a
hard to find directory for warez storage and notify the person running
the scan.

-----Original Message-----
From: Emil Popov [mailto:emo () ds primasoft bg]
Sent: Monday, August 20, 2001 3:33 AM
To: incidents () securityfocus com
Subject: annoying ftp probes

Hi,

I have been getting some annoying connections to my ftpd like:

Aug 20 07:58:28 ds ftpd[7527]: connection from
cc821361-d.vron1.nj.home.com
Aug 20 07:58:29 ds ftpd[7527]: ANONYMOUS FTP LOGIN FROM
cc821361-d.vron1.nj.home.com, guest () here com
Aug 20 07:58:30 ds ftpd[7527]: mkdir 010820012936p
Aug 19 06:37:34 ds ftpd[20081]: connection from ip-90-202.evc.net
Aug 19 06:37:35 ds ftpd[20081]: ANONYMOUS FTP LOGIN FROM
ip-90-202.evc.net, guest () here com
Aug 19 06:37:36 ds ftpd[20081]: mkdir 010819061100p

they are comming from various ISP's at random time intervals.
I seems that this is some scanner that searches for world-writable
ftp sites, and since those requests have been comming from *almost*
random hosts, i am only able to cumulatively add whole isp domains
to my hosts.deny. I added a responce line i.e. an instant nmap to those
guys,
and up to now my nmap resulted in scanning either the firewall of the
isp,
or a windows machine ( win :), they may soon get an automated dos if
they keep on :)) ).

So i presume it's i win tool.

Any Idea what the tool is?
Any Idea of a better defence (not that my site is world-writable but
anyway..)

Thanks

p.s. There is very famous WarezFTP site in Bulgaria, and i see them
getting those same (in format)
directories created, so it really seems like a scanner that just goes
aroung mkdir'ing.

p.s.s Sorry for mentioning the un-masked hostnames, but i believe they
deserve that.

Emil Popov
Primasoft Ltd.
emo () ds primasoft bg

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

annoying ftp probes Emil Popov (Aug 20)
- smtp probes Eduardo Cruz (Aug 20)
  - Re: smtp probes Hugo van der Kooij (Aug 20)
    - Re: smtp probes Wichert Akkerman (Aug 20)
- Re: annoying ftp probes Jason Spence (Aug 20)
  - Re: annoying ftp probes Mike Eheler (Aug 20)
- Re: annoying ftp probes Joris De Donder (Aug 20)
- <Possible follow-ups>
- RE: annoying ftp probes Mark Villanova (Aug 20)
  - RE: annoying ftp probes Gregory McCann (Aug 20)
    - RE: annoying ftp probes Skeeve Stevens (Aug 27)
- RE: annoying ftp probes NESTING, DAVID M (SBCSI) (Aug 20)
- Re: annoying ftp probes Emil Popov (Aug 27)