Security Incidents mailing list archives

Re: FTP scans from wanadoo.fr - MOre info

From: "Pieter-Bas IJdens" <pbijdens () emea mi4 org uk>
Date: Wed, 19 Dec 2001 12:15:59 +0100

"USER ftp" 331 -
"PASS mozilla@" 230 -
"SITE EXEC %020d|%.f%.f|" 500 -

Q: Have there been discovered any vulnerabilities affecting Microsoft's
FTP Services? (If not we probably got a new one).

that looks like some ftp vulnerability on IIS ... i downloaded some
statics made by other users:

Top 5:
  1: t-dialin.net          (302 attempts, 30 hosts)

<<SNAP>>


I believe this could be a mass defacement tool or perhaps we could be
talking about a worm that infects IIS boxes (i don't think so)... lots
of the people have been geting this scans since the beginning of
October.


Yes. I remember posting these log entries and the top 5 to the dshield.org
mailing list on October 19th. Since then a lot has changed. A new version of
grim's ping has become available, and also recently I saw the exact same
patterns of these grims ping scans in my logs, but simultaneously from 10
different IPs (spoofed?).

The mass defacement tool or worm you are talking about AFAIK does not exist.
These scans are performed by people looking for weakly configured FTP
servers they can put their warez on. They don't particularly care about the
present content of the site and are careful not to disturb it because they
don't want to attract attention. They prefer FTP servers on Microsoft
systems because they tend to be badly configured and it's easy to hide their
stuff on it (http://www.xs4all.nl/~liew/startdivx/endofdeleters.txt). From
the ftp command logs I notice that all that is done usually is log in.
Rarely other commands are attempted, so I assume they just log the system
type and possible public access.

See http://pieter-bas.ijdens.com/logs/ftpconnects.txt for a full listing of
scanning IPs since the beginning of september, and
http://pieter-bas.ijdens.com/logs/ftp_full.txt.gz if you are interested to
see what these people try for commands on the scanned sites.

New stats (last ones were Oct 19 2001): t-dialin.net at 687 attempts,
wanadoo.fr at 164 attempts.

  Pieter-Bas







----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: FTP scans from wanadoo.fr, (continued)
- Re: FTP scans from wanadoo.fr Sébastien Vaast (Dec 17)
- RE: FTP scans from wanadoo.fr SunTrix Com Management (Dec 17)
- Re: FTP scans from wanadoo.fr russell (Dec 17)
  - Re: FTP scans from wanadoo.fr Steve (Dec 17)
- Re: FTP scans from wanadoo.fr loon (Dec 17)
  - Re: FTP scans from wanadoo.fr Phil (Dec 17)
  - Re: FTP scans from wanadoo.fr Replugge [Rod] (Dec 18)
- Re: FTP scans from wanadoo.fr dr john halewood (Dec 18)
  - Re: FTP scans from wanadoo.fr Alexandre Pinto (Dec 18)
  - Re: FTP scans from wanadoo.fr - MOre info Replugge [Rod] (Dec 18)
    - Re: FTP scans from wanadoo.fr - MOre info Pieter-Bas IJdens (Dec 19)
- Re: FTP scans from wanadoo.fr Emil Popov (Dec 20)
- FTP scans from wanadoo.fr Gray, Patrick (ISS Atlanta) (Dec 17)
- RE: FTP scans from wanadoo.fr Barber, Chris (Dec 18)
- Re: FTP scans from wanadoo.fr Dave Morris (Dec 20)