Security Incidents mailing list archives
RE: Identify Method
From: Jeff Peterson <Jpeterson () btiis net>
Date: Wed, 30 May 2001 08:45:39 -0700
Jeff has been tagged for th warez scene. I had this happen to my FTP server. I finally had to make the whole site read-only. I had the very same passwords used, along with others, such as "uberdeleter". Your address will appear on a site known to the warez people as SWAA. A brief description of available files may be included in the posting. In the near future people in the warez know will start using your site for storage, they may download files, or just start randomly deleting files. You should tighten security very much, and very soon. Jeff Peterson, Former warez victim. P.S. Is it wrong to slip a trojan into the stuff they download, and hit them back? :) -----Original Message----- From: Ingersoll, Jared [mailto:JIngersoll () cswv com] Sent: Wednesday, May 30, 2001 5:18 AM To: 'CL: Nelson, Jeff'; 'FOCUS-MS () SECURITYFOCUS COM' Cc: incidents () securityfocus com Subject: RE: Identify Method Jeff, I found the same attempt was made on some of our systems. I first noticed a scan in our firewall logs last Tuesday or Wednesday (5/22-5/23). After ftp service was detected, a login attempt was made by anonymous with password guest () here com. We have no need for anonymous login and our servers are patched up to the latest security patch, so I didn't worry, just made note. I just assumed it was someone looking for anonymous ftp servers. However, given your information below, I beginning to suspect that it may be something more malicious. Perhaps it is just a program looking for anonymous ftp, but why try and created an *.asp file? Anyone else have some input? Jared -----Original Message----- From: CL: Nelson, Jeff [mailto:JNelson () cmccontrols com] Sent: Tuesday, May 29, 2001 10:28 AM To: 'FOCUS-MS () SECURITYFOCUS COM' Subject: Identify Method Good day, Time to admit complete ignorance here. Some person created several directories in _vti_pvt. I've tried to replicate what I have in my IIS logs to no avail. Here is what I see: USER anonymous 331 PASS anonymous () on the net 230 MKD /_vti_pvt/+.+tagged+4+SWAA 257 QUIT - 257 Then another 14 minutes later: USER anonymous 331 PASS guest () here com 230 created /1kbtest.ptf 250 DELE /1kbtest 250 created /space.asp 226 DELE /space.asp 250 First, what is going on? How were they able to do this? When I try I get an error stating path cannot be found. Second, (and I think I've asked this before) is there a resource that goes in-depth to what is taking place? Most of the material I have is for Unix systems, not IIS. Regards, Jeff Jeffrey L. Nelson Network Manager; Cleveland Motion Controls jnelson () cmccontrols com; 216-642-5147 ---- "The musical notes are only five in number but their melodies, are so numerous that one cannot visualize them all." -- Sun Tzu
Current thread:
- RE: Identify Method Ingersoll, Jared (May 30)
- Re[2]: Identify Method Joris De Donder (May 30)
- <Possible follow-ups>
- RE: Identify Method Jeff Peterson (May 30)
- RE: Identify Method Jose Nazario (May 30)
- RE: Identify Method John Spinks (May 31)
- RE: Identify Method Keith.Morgan (May 30)
- RE: Identify Method Bobby, Paul (May 30)