Security Incidents mailing list archives
RE: ano () ano com ftpd dip.t-dialin.net
From: Owen McCusker <mccusker () sonalysts com>
Date: Tue, 12 Nov 2002 13:29:27 -0500
Dear Owen, The incidents you describe are caused by a popular cracker tool / well- known vulnerability scanner called "FX-Scanner". It indeed seems most popular in Germany. I was looking for it because I was noticing TCP:57 attempts for some time now in my (Linux) logs. A long Google search directed me to a message submitted by Johannes Ullrich at http://isc.incidents.org/show_comment.html?id=28 and finally to http://www.fx-tools.net In fact, the attack pattern of FX-Scanner V.030 beta is as follows: (1) One ping (ICMP) (2) If port 80 (http) is open, a large number of IIS-hacks. These are defined by a file called "unicode.txt" included in the package. This file contains 77 plain-text lines intended to exploit well known ISS "unicode" vulnerabilities. However, the cracker can modify this file at will, so expect some different patterns here. (3) Two attempts to TCP:57 (TCP port 57). According to Johannes Ullrich the reason to do this is because the port is normally CLOSED. (4) Three TCP:21 (ftp) attempts if closed. As said, I don't run ftpd's so I don't know what would happen if ftpd runs. However, the fx-scanner V.030 beta package includes the following file: 07/07/02 07:40p 104,154 file.txt 9a5c9475663ad6dcf53f42446972a7b1 *file.txt so probably that file is planted using user-specified or random names; contents are binary crap as you describe. The file "scanner.ini" also included contains the following lines (among others): ftp_Uname=anonymous ftp_UPassword=ano () ano com ftp_Port=21 I played around with the tool a bit on a WXP testsetup (no network cable) while listening on TCP:57 using NETCAT and confirmed that indeed fx-scanner connects to the port mentioned. Please note: running such a program against a public net is simply NOT DONE and hopefully/probably illegal. If you consider (don't) to do just that, note that the tool is remotely controllable; it listens to TCP port 4113 and uses the default password "fxadmin" (both are variables in the ini file). It may also include other, unspecified, backdoors. Although I did not monitor behavior using a sniffer, the "Ring_Server=True" line in the ini-file suggests that fx-scanner may call home when run (it could also be the ping though). The remote control program is included in the package. BTW I wouldn't be surprised if the number of German badguys using this tool is significantly less than one may think. Blackhats may have found ways to install this tool on PC's from innocent (but clueless) T-Online dialup/ADSL users (perhaps via KaZaa or whatever), and are controlling them remotely. The blackhats may be Germans, but obviously that is not necessarily the case. However, I'm purely speculating here. Cheers! Erik van Straten ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: ano () ano com ftpd dip.t-dialin.net, (continued)
- Re: ano () ano com ftpd dip.t-dialin.net Ralf G. R. Bergs (Nov 07)
- Re: ano () ano com ftpd dip.t-dialin.net Rainer Duffner (Nov 07)
- Re: ano () ano com ftpd dip.t-dialin.net Dave Laird (Nov 07)
- Re: ano () ano com ftpd dip.t-dialin.net TOK (Nov 08)
- RE: ano () ano com ftpd dip.t-dialin.net David Gillett (Nov 08)
- Re: ano () ano com ftpd dip.t-dialin.net Ralf G. R. Bergs (Nov 07)
- Re: ano () ano com ftpd dip.t-dialin.net Skip Carter (Nov 07)
- Re: ano () ano com ftpd dip.t-dialin.net Moo (Nov 07)
- RE: ano () ano com ftpd dip.t-dialin.net Bojan Zdrnja (Nov 09)
- RE: ano () ano com ftpd dip.t-dialin.net Rick Darsey (Nov 07)
- Re: ano () ano com ftpd dip.t-dialin.net Valdis . Kletnieks (Nov 07)
- RE: ano () ano com ftpd dip.t-dialin.net Owen McCusker (Nov 12)