Full Disclosure mailing list archives
Re: ftp worm ?
From: Robert Perriero <perrieror1 () mail montclair edu>
Date: Thu, 15 Jan 2004 12:18:38 -0500
I would be willing to bet that this is a modified "pub scanner". Similar to the apache exploit posted, it appears as if it attempts to connect to machines using known user accounts and passwords. It probably isn't a worm, but rather someone behind a keyboard attempting to find a place to store warez.
-Bob Mike Tancsa wrote:
I have been noticing a flood of ftp attempts to various servers on our network recently. Its typically from some dialup / dynamic IP and it tries to ftp in to one of my machines as fast as it can with as many connections as possible using a fixed ranges of usernamese.g. in a 2hr period,grep "FTP LOGIN FAILED" /var/log/authentic | awk '{print $11}' | sort | uniq -c | sort -nr293 manager 290 public 289 private 286 default 262 security 237 1234qwer 218 123qwe 214 user 213 super 209 123456 197 000000 192 Internet 156 abcd 143 abc123 115 abc 106 1234567 104 123abc 102 88888888 95 password 93 asdfgh 88 computer 84 5201314 83 00000000 79 !@#$%^&*() 77 654321 76 888888 73 123asd 71 11111 71 !@#$%^&* 68 passwd 64 !@#$%^&*( 61 111111 58 asdf 57 sql 57 database 51 111 49 !@#$% 45 pass 45 !@#$ 43 54321 42 server 42 !@#$%^ 35 sybase 34 oracle 34 12345678 34 1 31 secret 27 test 27 11111111 18 admin 15 anyone 10 !@#$%^&This looks a lot like http://www.f-secure.com/v-descs/muma.shtml but I have not been able to find a description/variant that uses ftp. Is this a new version of muma ? Or just some worm / virus that uses the same list of users.-------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike () sentex net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- ftp worm ? Mike Tancsa (Jan 06)
- Re: ftp worm ? daniel uriah clemens (Jan 06)
- Re: ftp worm ? Robert Perriero (Jan 15)
- Re: ftp worm ? Robert Perriero (Jan 15)
- Re: ftp worm ? Nick FitzGerald (Jan 15)