Security Incidents mailing list archives
Re: FTP scans from wanadoo.fr - MOre info
From: "Pieter-Bas IJdens" <pbijdens () emea mi4 org uk>
Date: Wed, 19 Dec 2001 12:15:59 +0100
"USER ftp" 331 - "PASS mozilla@" 230 - "SITE EXEC %020d|%.f%.f|" 500 - Q: Have there been discovered any vulnerabilities affecting Microsoft's FTP Services? (If not we probably got a new one). that looks like some ftp vulnerability on IIS ... i downloaded some statics made by other users: Top 5: 1: t-dialin.net (302 attempts, 30 hosts)
<<SNAP>>
I believe this could be a mass defacement tool or perhaps we could be talking about a worm that infects IIS boxes (i don't think so)... lots of the people have been geting this scans since the beginning of October.
Yes. I remember posting these log entries and the top 5 to the dshield.org mailing list on October 19th. Since then a lot has changed. A new version of grim's ping has become available, and also recently I saw the exact same patterns of these grims ping scans in my logs, but simultaneously from 10 different IPs (spoofed?). The mass defacement tool or worm you are talking about AFAIK does not exist. These scans are performed by people looking for weakly configured FTP servers they can put their warez on. They don't particularly care about the present content of the site and are careful not to disturb it because they don't want to attract attention. They prefer FTP servers on Microsoft systems because they tend to be badly configured and it's easy to hide their stuff on it (http://www.xs4all.nl/~liew/startdivx/endofdeleters.txt). From the ftp command logs I notice that all that is done usually is log in. Rarely other commands are attempted, so I assume they just log the system type and possible public access. See http://pieter-bas.ijdens.com/logs/ftpconnects.txt for a full listing of scanning IPs since the beginning of september, and http://pieter-bas.ijdens.com/logs/ftp_full.txt.gz if you are interested to see what these people try for commands on the scanned sites. New stats (last ones were Oct 19 2001): t-dialin.net at 687 attempts, wanadoo.fr at 164 attempts. Pieter-Bas ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: FTP scans from wanadoo.fr, (continued)
- Re: FTP scans from wanadoo.fr Sébastien Vaast (Dec 17)
- RE: FTP scans from wanadoo.fr SunTrix Com Management (Dec 17)
- Re: FTP scans from wanadoo.fr russell (Dec 17)
- Re: FTP scans from wanadoo.fr Steve (Dec 17)
- Re: FTP scans from wanadoo.fr loon (Dec 17)
- Re: FTP scans from wanadoo.fr Phil (Dec 17)
- Re: FTP scans from wanadoo.fr Replugge [Rod] (Dec 18)
- Re: FTP scans from wanadoo.fr dr john halewood (Dec 18)
- Re: FTP scans from wanadoo.fr Alexandre Pinto (Dec 18)
- Re: FTP scans from wanadoo.fr - MOre info Replugge [Rod] (Dec 18)
- Re: FTP scans from wanadoo.fr - MOre info Pieter-Bas IJdens (Dec 19)
- Re: FTP scans from wanadoo.fr Emil Popov (Dec 20)
- FTP scans from wanadoo.fr Gray, Patrick (ISS Atlanta) (Dec 17)
- RE: FTP scans from wanadoo.fr Barber, Chris (Dec 18)
- Re: FTP scans from wanadoo.fr Dave Morris (Dec 20)