Security Incidents mailing list archives
RE: new ftp worm
From: "Jim Harrison (ISA)" <jmharr () microsoft com>
Date: Tue, 6 Jan 2004 17:40:47 -0800
This is also typical of the WAREZ folks' efforts. First they try anonymous logins, then a "comon pattern" login attack. * Jim Harrison <mailto:jmharr () microsoft com> MCP(NT4/2K), A+, Network+ Security Business Unit (ISA SE) "I used to hate writing assignments, but now I enjoy them. I realized that the purpose of writing is to inflate weak ideas, obscure poor reasoning, and inhibit clarity. With a little practice, writing can be an intimidating and impenetrable fog!" -Calvin ________________________________ From: Mike Tancsa [mailto:mike () sentex net] Sent: Tue 1/6/2004 11:39 To: incidents () securityfocus com Subject: new ftp worm I have been noticing a flood of ftp attempts to various servers on our network recently. Its typically from some dialup / dynamic IP and it tries to ftp in to one of my machines as fast as it can with as many connections as possible using a fixed ranges of usernames e.g. in a 2hr period, grep "FTP LOGIN FAILED" /var/log/authentic | awk '{print $11}' | sort | uniq -c | sort -nr 293 manager 290 public 289 private 286 default 262 security 237 1234qwer 218 123qwe 214 user 213 super 209 123456 197 000000 192 Internet 156 abcd 143 abc123 115 abc 106 1234567 104 123abc 102 88888888 95 password 93 asdfgh 88 computer 84 5201314 83 00000000 79 !@#$%^&*() 77 654321 76 888888 73 123asd 71 11111 71 !@#$%^&* 68 passwd 64 !@#$%^&*( 61 111111 58 asdf 57 sql 57 database 51 111 49 !@#$% 45 pass 45 !@#$ 43 54321 42 server 42 !@#$%^ 35 sybase 34 oracle 34 12345678 34 1 31 secret 27 test 27 11111111 18 admin 15 anyone 10 !@#$%^& This looks a lot like http://www.f-secure.com/v-descs/muma.shtml but I have not been able to find a description/variant that uses ftp. Is this a new version of muma ? Or just some worm / virus that uses the same list of users. -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike () sentex net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- new ftp worm Mike Tancsa (Jan 06)
- <Possible follow-ups>
- RE: new ftp worm Jim Harrison (ISA) (Jan 07)
- vulnerability in glocation.cgi? Christine Kronberg (Jan 09)
- RE: new ftp worm KlaĆĄnja Dario (Jan 12)