Full Disclosure mailing list archives
ftp worm ?
From: Mike Tancsa <mike () sentex net>
Date: Tue, 06 Jan 2004 15:23:43 -0500
I have been noticing a flood of ftp attempts to various servers on our network recently. Its typically from some dialup / dynamic IP and it tries to ftp in to one of my machines as fast as it can with as many connections as possible using a fixed ranges of usernames
e.g. in a 2hr period,grep "FTP LOGIN FAILED" /var/log/authentic | awk '{print $11}' | sort | uniq -c | sort -nr
293 manager 290 public 289 private 286 default 262 security 237 1234qwer 218 123qwe 214 user 213 super 209 123456 197 000000 192 Internet 156 abcd 143 abc123 115 abc 106 1234567 104 123abc 102 88888888 95 password 93 asdfgh 88 computer 84 5201314 83 00000000 79 !@#$%^&*() 77 654321 76 888888 73 123asd 71 11111 71 !@#$%^&* 68 passwd 64 !@#$%^&*( 61 111111 58 asdf 57 sql 57 database 51 111 49 !@#$% 45 pass 45 !@#$ 43 54321 42 server 42 !@#$%^ 35 sybase 34 oracle 34 12345678 34 1 31 secret 27 test 27 11111111 18 admin 15 anyone 10 !@#$%^&This looks a lot like http://www.f-secure.com/v-descs/muma.shtml but I have not been able to find a description/variant that uses ftp. Is this a new version of muma ? Or just some worm / virus that uses the same list of users.
-------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike () sentex net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- ftp worm ? Mike Tancsa (Jan 06)
- Re: ftp worm ? daniel uriah clemens (Jan 06)
- Re: ftp worm ? Robert Perriero (Jan 15)
- Re: ftp worm ? Robert Perriero (Jan 15)
- Re: ftp worm ? Nick FitzGerald (Jan 15)