RE: new ftp worm

[Klašnja Dario <dario.klasnja () msan hr>]

Yes, someone trying to retrieve password with brut force method.
Keep an aye on that, and try to find the source and send report to your ISP.

                Dario 


-----Original Message-----
From: Jim Harrison (ISA) [mailto:jmharr () microsoft com] 
Sent: Wednesday, January 07, 2004 2:41 AM
To: Mike Tancsa; incidents () securityfocus com
Subject: RE: new ftp worm


This is also typical of the WAREZ folks' efforts.
First they try anonymous logins, then a "comon pattern" login attack.
 
* Jim Harrison <mailto:jmharr () microsoft com>  
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA SE)

 
"I used to hate writing assignments, but now I enjoy them. 
I realized that the purpose of writing is to inflate weak ideas, 
obscure poor reasoning, and inhibit clarity. 
With a little practice, writing can be an intimidating and 
impenetrable fog!"
-Calvin

________________________________

From: Mike Tancsa [mailto:mike () sentex net]
Sent: Tue 1/6/2004 11:39
To: incidents () securityfocus com
Subject: new ftp worm 




I have been noticing a flood of ftp attempts to various servers on our network recently.  Its typically from some 
dialup / dynamic IP and it tries to ftp in to one of my machines as fast as it can with as many connections as possible 
using a fixed ranges of usernames

e.g. in a 2hr period,

  grep "FTP LOGIN FAILED" /var/log/authentic | awk '{print $11}' | sort | uniq -c | sort -nr
  293 manager
  290 public
  289 private
  286 default
  262 security
  237 1234qwer
  218 123qwe
  214 user
  213 super
  209 123456
  197 000000
  192 Internet
  156 abcd
  143 abc123
  115 abc
  106 1234567
  104 123abc
  102 88888888
   95 password
   93 asdfgh
   88 computer
   84 5201314
   83 00000000
   79 !@#$%^&*()
   77 654321
   76 888888
   73 123asd
   71 11111
   71 !@#$%^&*
   68 passwd
   64 !@#$%^&*(
   61 111111
   58 asdf
   57 sql
   57 database
   51 111
   49 !@#$%
   45 pass
   45 !@#$
   43 54321
   42 server
   42 !@#$%^
   35 sybase
   34 oracle
   34 12345678
   34 1
   31 secret
   27 test
   27 11111111
   18 admin
   15 anyone
   10 !@#$%^&


This looks a lot like http://www.f-secure.com/v-descs/muma.shtml but I have not been able to find a description/variant 
that uses ftp.  Is this a new version of muma ? Or just some worm / virus that uses the same list of users.
--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike () sentex net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike


---------------------------------------------------------------------------
----------------------------------------------------------------------------




---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------