Security Incidents mailing list archives
RE: Trojan of somesort - Update
From: "James C Slora Jr" <Jim.Slora () phra com>
Date: Thu, 27 May 2004 18:15:26 -0400
Harlan Carvey wrote Thursday, May 27, 2004 15:27
While it's true that the "tagged" FTP sites were filled w/ warez, my own investigations into these events showed quite clearly that not a single site was "hacked".
Thanks for mentioning this. Just to be clear, Bob the Builder's box was hacked, not just tagged. But BtB's name suggests he is more than qualified to repair or rebuild it - YES HE CAN! :).
Rather, the automated script would look for FTP sites that allowed an anonymous user to write to the drive (check was done using "mkdir" command). As the script was automated, it simply rm'd the directory it created (if successful) and recorded the IP address for later use.
Yup. Any Internet-exposed FTP server that allows anonymous reading and writing in the same directory will get eventually get tagged and start getting warez libraries. That doesn't mean that it is hacked, though. Tagging means marking, and does not imply any hack necessarily occurred. Tagging scripts and tools like Grim's Ping normally just look for anonymous FTP servers and try to create tag directories or files. Tag directories often try to be harder to delete so they will still be there later and will protect the files under them, or the tag directories might just be logged and deleted as Harlan mentioned. Tag files are usually labeled with the size and tag, and are used for speed tests. The "tags" themselves don't hurt anything - they are just a marker unique to the crew that found the open server. So a tagged server won't necessarily show any trojans or odd open ports, because often the server is the victim of warez abuse but not hacking. Search for GPUSER (string contained in the default "anonymous" password in Grim's Ping) in a few months of any anonymous FTP server log and there should be several attempts to "tag" by creating dirs. Any other mkdir entries might also show tagging attempts. The taggers often will create a directory that is deeply nested and that has characters in it to prevent many methods of deleting or even seeing them from Windows. These are just file naming tricks that may make the server appear hacked when it isn't. RMDIR /S on the top-level 8.3 name at the command line normally takes care of them without even a reboot. Then rearchitect anonymous login to eliminate the ability to both read and write files in any given directory, and you may be finished.
Current thread:
- Re: Trojan of somesort - Update Bob the Builder (May 27)
- Re: Trojan of somesort - Update Paul Schmehl (May 27)
- Re: Trojan of somesort - Update Pho Man (May 27)
- Re: Trojan of somesort - Update Harlan Carvey (May 27)
- Re: Trojan of somesort - Update Harlan Carvey (May 27)
- RE: Trojan of somesort - Update James C Slora Jr (May 28)
- RE: Trojan of somesort - Update Harlan Carvey (May 28)
- RE: Trojan of somesort - Update James C Slora Jr (May 29)
- RE: Trojan of somesort - Update Harlan Carvey (May 28)
- Re: Trojan of somesort - Update Pho Man (May 27)
- Re: Trojan of somesort - Update Gadi Evron (May 28)
- Re: Trojan of somesort - Update Paul Schmehl (May 27)
- Re: Trojan of somesort - Update Paul Schmehl (May 28)
- Re: Trojan of somesort - Update Harlan Carvey (May 28)
- Re: Trojan of somesort - Update Gadi Evron (May 28)
- Changing file times, was -> Re: Trojan of somesort - Update Harlan Carvey (May 28)
- Re: Changing file times, was -> Re: Trojan of somesort - Update Gadi Evron (May 28)