Security Incidents mailing list archives

RE: new ftp worm

From: "Jim Harrison (ISA)" <jmharr () microsoft com>
Date: Tue, 6 Jan 2004 17:40:47 -0800

This is also typical of the WAREZ folks' efforts.
First they try anonymous logins, then a "comon pattern" login attack.
 
* Jim Harrison <mailto:jmharr () microsoft com>  
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA SE)

 
"I used to hate writing assignments, but now I enjoy them. 
I realized that the purpose of writing is to inflate weak ideas, 
obscure poor reasoning, and inhibit clarity. 
With a little practice, writing can be an intimidating and 
impenetrable fog!"
-Calvin

________________________________

From: Mike Tancsa [mailto:mike () sentex net]
Sent: Tue 1/6/2004 11:39
To: incidents () securityfocus com
Subject: new ftp worm 




I have been noticing a flood of ftp attempts to various servers on our
network recently.  Its typically from some dialup / dynamic IP and it tries
to ftp in to one of my machines as fast as it can with as many connections
as possible using a fixed ranges of usernames

e.g. in a 2hr period,

  grep "FTP LOGIN FAILED" /var/log/authentic | awk '{print $11}' | sort |
uniq -c | sort -nr
  293 manager
  290 public
  289 private
  286 default
  262 security
  237 1234qwer
  218 123qwe
  214 user
  213 super
  209 123456
  197 000000
  192 Internet
  156 abcd
  143 abc123
  115 abc
  106 1234567
  104 123abc
  102 88888888
   95 password
   93 asdfgh
   88 computer
   84 5201314
   83 00000000
   79 !@#$%^&*()
   77 654321
   76 888888
   73 123asd
   71 11111
   71 !@#$%^&*
   68 passwd
   64 !@#$%^&*(
   61 111111
   58 asdf
   57 sql
   57 database
   51 111
   49 !@#$%
   45 pass
   45 !@#$
   43 54321
   42 server
   42 !@#$%^
   35 sybase
   34 oracle
   34 12345678
   34 1
   31 secret
   27 test
   27 11111111
   18 admin
   15 anyone
   10 !@#$%^&


This looks a lot like http://www.f-secure.com/v-descs/muma.shtml but I have
not been able to find a description/variant that uses ftp.  Is this a new
version of muma ? Or just some worm / virus that uses the same list of users.
--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike () sentex net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike


---------------------------------------------------------------------------
----------------------------------------------------------------------------




---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

new ftp worm Mike Tancsa (Jan 06)
- <Possible follow-ups>
- RE: new ftp worm Jim Harrison (ISA) (Jan 07)
  - vulnerability in glocation.cgi? Christine Kronberg (Jan 09)
- RE: new ftp worm Klašnja Dario (Jan 12)