Re: [incident] IIS defacement through FTP, possible DoS

[Michael Katz <mike () procinct com>]

At 6/5/2002 01:40 AM, Iain Craig wrote:
> Was wondering if anyone is aware of an IIS FTP server exploit that allows 
> an attacker the read/write access of a single given legimate user's 
> folders and also zeroes the log file?

<snip>

> There was a LOT of those, all very fast like a DoS attempt. Other 
> usernames I was seeing in a similar DoS fashion from the same time and IP 
> were Ogpuser () home com, Kgpuser () home com, and Lgpuser () home com
>
> Anyone know of a kiddie tool that uses these names?

According to this message 
(http://archives.neohapsis.com/archives/snort/2002-04/0447.html):

"This is the signature of Grim's
Ping- a scanning tool that looks for FTP servers with directories that
anonymous users can write to (In other words- new warez sites). The tool
logs in as anonymous and authenticates with Xgpuser () home com (where X is
any uppercase letter). It tries to find and write to commonly used FTP
directories and reports successes to the attacker.."

The tool can be downloaded from http://grimsping.cjb.net/.

Michael Katz
mike () procinct com
Procinct Security


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com