Security Incidents mailing list archives
Re: [incident] IIS defacement through FTP, possible DoS
From: Michael Katz <mike () procinct com>
Date: Wed, 05 Jun 2002 11:56:58 -0700
At 6/5/2002 01:40 AM, Iain Craig wrote:
Was wondering if anyone is aware of an IIS FTP server exploit that allows an attacker the read/write access of a single given legimate user's folders and also zeroes the log file?
<snip>
There was a LOT of those, all very fast like a DoS attempt. Other usernames I was seeing in a similar DoS fashion from the same time and IP were Ogpuser () home com, Kgpuser () home com, and Lgpuser () home comAnyone know of a kiddie tool that uses these names?
According to this message (http://archives.neohapsis.com/archives/snort/2002-04/0447.html):
"This is the signature of Grim's Ping- a scanning tool that looks for FTP servers with directories that anonymous users can write to (In other words- new warez sites). The tool logs in as anonymous and authenticates with Xgpuser () home com (where X is any uppercase letter). It tries to find and write to commonly used FTP directories and reports successes to the attacker.." The tool can be downloaded from http://grimsping.cjb.net/. Michael Katz mike () procinct com Procinct Security ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- [incident] IIS defacement through FTP, possible DoS Iain Craig (Jun 05)
- Re: [incident] IIS defacement through FTP, possible DoS Jean-Luc (Jun 05)
- <Possible follow-ups>
- Re: [incident] IIS defacement through FTP, possible DoS Matthew . Brown (Jun 05)
- Re: [incident] IIS defacement through FTP, possible DoS Michael Katz (Jun 05)
- Re: [incident] IIS defacement through FTP, possible DoS Muhammad Faisal Rauf Danka (Jun 05)
- RE: [incident] IIS defacement through FTP, possible DoS Iain Craig (Jun 06)
- Re: [incident] IIS defacement through FTP, possible DoS Patrick Andry (Jun 06)