Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Identify Method

From: "Bobby, Paul" <paul.bobby () lmco com>
Date: Wed, 30 May 2001 13:34:09 -0400
What was noticed in my environment is that the source (both times
occured)was from Germany. The tool logged in via anonymous ftp and tried the
following:

cd /pub
cd /public
cd /pub/incoming
cd /incoming
cd /_vti_pvt
cd /
mkd 010528203204p
cd /upload

not successful, so I didn't see what would happen if those directories did
exist.

-----Original Message-----
From: Ingersoll, Jared [mailto:JIngersoll () cswv com]
Sent: Wednesday, May 30, 2001 8:18 AM
To: 'CL: Nelson, Jeff'; 'FOCUS-MS () SECURITYFOCUS COM'
Cc: incidents () securityfocus com
Subject: RE: Identify Method


Jeff,

I found the same attempt was made on some of our systems. I first noticed a
scan
in our firewall logs last Tuesday or Wednesday (5/22-5/23). After ftp
service was detected, a login attempt was made by anonymous with password
guest () here com. We have no need for anonymous login and our servers are
patched up to the latest security patch, so I didn't worry, just made note.
I just assumed it was someone looking for anonymous ftp servers. However,
given your information below, I beginning to suspect that it may be
something more malicious. Perhaps it is just a program looking for anonymous
ftp, but why try and created an *.asp file? Anyone else have some input?

Jared
-----Original Message-----
From: CL: Nelson, Jeff [mailto:JNelson () cmccontrols com]
Sent: Tuesday, May 29, 2001 10:28 AM
To: 'FOCUS-MS () SECURITYFOCUS COM'
Subject: Identify Method


Good day,

Time to admit complete ignorance here. Some person created several
directories in _vti_pvt. I've tried to replicate what I have in my IIS logs
to no avail. Here is what I see:

USER    anonymous       331
PASS    anonymous () on the net 230
MKD     /_vti_pvt/+.+tagged+4+SWAA      257
QUIT    -       257

Then another 14 minutes later:

USER anonymous 331
PASS guest () here com 230
created /1kbtest.ptf 250
DELE /1kbtest 250
created /space.asp 226
DELE /space.asp 250

First, what is going on? How were they able to do this? When I try I get an
error stating path cannot be found.

Second, (and I think I've asked this before) is there a resource that goes
in-depth to what is taking place? Most of the material I have is for Unix
systems, not IIS.

Regards,

Jeff

Jeffrey L. Nelson
Network Manager; Cleveland Motion Controls
jnelson () cmccontrols com; 216-642-5147
----
"The musical notes are only five in number but their melodies, are so
numerous that one cannot visualize them all."   -- Sun Tzu
Previous By Date Next
Previous By Thread Next

Current thread: