Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: FTP scans from wanadoo.fr

From: "Barber, Chris" <cbarber () criticalIP com>
Date: Tue, 18 Dec 2001 13:24:52 -0500
I have just looked at the few samples that have appeared here but it also
looks as if the last 6 digits (exclude the "p") may also be a time HHMMSS
and the "p" might indicate PM.

Chris.

-----Original Message-----
From: dr john halewood [mailto:john () frumious unidec co uk]
Sent: Tuesday, December 18, 2001 5:50 AM
To: aaron () aaronwolfe com; incidents () securityfocus com
Subject: Re: FTP scans from wanadoo.fr


There's a distinct pattern to these scans from wanadoo. Looking through some

logs (I allow anonymous login but with read-only access on one box). I've 
noticed the following:
the anonymous login password: frequently [A-Z]gpuser () home com
an attempt to cd to some directories: /ftproot, /wwwroot, /_vti_bin, 
/_vti_cnf, /cgi-bin, amongst others: the pattern varies, but all requests 
take place within a second, so it's definitely scripted. This is followed by

an attempt to create a number of directories with a name such as
011203022432p, where the first 6 digits are YYMMDD.

Anyone recognise the tool?

Cheers
john

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: