Security Incidents mailing list archives

Re: FTP scans from wanadoo.fr - MOre info

From: "Replugge [Rod]" <replugge () alcoholico org>
Date: 18 Dec 2001 19:58:28 +0100

UFFF .. it seems like this people is looking for iis vulnerabilities all
over the internet.. this look like some mass defacement tools. I
remember a group called poizonb0x used some of those. at least now we
know what they where looking for...

i found some interesting stuff looking around.

"USER ftp" 331 -
"PASS mozilla@" 230 -
"SITE EXEC %020d|%.f%.f|" 500 -

Q: Have there been discovered any vulnerabilities affecting Microsoft's
FTP Services? (If not we probably got a new one).

that looks like some ftp vulnerability on IIS ... i downloaded some
statics made by other users:

Top 5:
  1: t-dialin.net          (302 attempts, 30 hosts)
  2: unresolved            (280 attempts)
  3: wanadoo.fr            (40 attempts, from 10 hosts)
  4: aol.com               (30 attempts, from 3 hosts)
  5: telia.com             (20 attempts from 1 host)


I believe this could be a mass defacement tool or perhaps we could be
talking about a worm that infects IIS boxes (i don't think so)... lots
of the people have been geting this scans since the beginning of
October.




On Tue, 2001-12-18 at 11:49, dr john halewood wrote:

There's a distinct pattern to these scans from wanadoo. Looking through some 
logs (I allow anonymous login but with read-only access on one box). I've 
noticed the following:
the anonymous login password: frequently [A-Z]gpuser () home com
an attempt to cd to some directories: /ftproot, /wwwroot, /_vti_bin, 
/_vti_cnf, /cgi-bin, amongst others: the pattern varies, but all requests 
take place within a second, so it's definitely scripted. This is followed by 
an attempt to create a number of directories with a name such as
011203022432p, where the first 6 digits are YYMMDD.

Anyone recognise the tool?

Cheers
john

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

-- 


--
/* 
Rodrigo Gutierrez <rodrigo () trustix com>
Trustix AS - http://www.trustix.com 
*/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: FTP scans from wanadoo.fr, (continued)
- Re: FTP scans from wanadoo.fr Jose Nazario (Dec 17)
- Re: FTP scans from wanadoo.fr Sébastien Vaast (Dec 17)
- RE: FTP scans from wanadoo.fr SunTrix Com Management (Dec 17)
- Re: FTP scans from wanadoo.fr russell (Dec 17)
  - Re: FTP scans from wanadoo.fr Steve (Dec 17)
- Re: FTP scans from wanadoo.fr loon (Dec 17)
  - Re: FTP scans from wanadoo.fr Phil (Dec 17)
  - Re: FTP scans from wanadoo.fr Replugge [Rod] (Dec 18)
- Re: FTP scans from wanadoo.fr dr john halewood (Dec 18)
  - Re: FTP scans from wanadoo.fr Alexandre Pinto (Dec 18)
  - Re: FTP scans from wanadoo.fr - MOre info Replugge [Rod] (Dec 18)
    - Re: FTP scans from wanadoo.fr - MOre info Pieter-Bas IJdens (Dec 19)
- Re: FTP scans from wanadoo.fr Emil Popov (Dec 20)
- FTP scans from wanadoo.fr Gray, Patrick (ISS Atlanta) (Dec 17)
- RE: FTP scans from wanadoo.fr Barber, Chris (Dec 18)
- Re: FTP scans from wanadoo.fr Dave Morris (Dec 20)