Re: FTP scans from wanadoo.fr

["Alexandre Pinto" <alexcp () ciphertech com br>]

> the anonymous login password: frequently [A-Z]gpuser () home com
> an attempt to cd to some directories: /ftproot, /wwwroot, /_vti_bin,
> /_vti_cnf, /cgi-bin, amongst others: the pattern varies, but all requests
> take place within a second, so it's definitely scripted. This is followed by
> an attempt to create a number of directories with a name such as
> 011203022432p, where the first 6 digits are YYMMDD.
>
> Anyone recognise the tool?

That must be Grim's Ping (http://grimsping.cjb.net/).
There was a discussion about attacks generated by this tool recently on other
SecurityFocus lists (not sure if it was Vuln-Dev or Pen-Test).

Cheers,
Alexcp

--
Alexandre Correia Pinto
Desenvolvimento de Produto
Cipher Technology
http://www.ciphertech.com.br
_____
"Segurança em TI - uma especialidade Cipher Technology"

----- Original Message -----
From: "dr john halewood" <john () frumious unidec co uk>
To: <aaron () aaronwolfe com>; <incidents () securityfocus com>
Sent: Tuesday, December 18, 2001 8:49 AM
Subject: Re: FTP scans from wanadoo.fr


> There's a distinct pattern to these scans from wanadoo. Looking through some
> logs (I allow anonymous login but with read-only access on one box). I've
> noticed the following:
>
> Cheers
> john
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com



   


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com