Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: 2300 FTP accesses from Korea

From: Tom Laermans <tom.laermans () powersource cx>
Date: Tue, 19 Jun 2001 13:09:49 +0200
Hi,

At 23:15 18/06/2001, you wrote:
Thanks to everyone for the excellent suggestions. I dug a little deeper and found that this was indeed a brute force attack. But not for user id and password. They always logged in as the anonymous user. What they were trying to get to was a hidden file on this site. (All directory listings are hidden and the user must know the exact filename to be able to download.) 

So they just kept on guessing the different filenames or what?



Check this out...
Edited for space and clarity (and a little obfuscation). All connections are from 211.203.38.222. 

"[16/Jun/2001:07:02:42 -0700]","USER anonymous","331"
"[16/Jun/2001:07:02:42 -0700]","TYPE I","200"
"[16/Jun/2001:07:02:42 -0700]","PASS getright@","230"
This shows that it was getright download manager (www.getright.com) .. With a very large download list :-) 


"[16/Jun/2001:07:02:42 -0700]","SIZE /download/pc/blah4702.exe","550"
"[16/Jun/2001:07:02:42 -0700]","SIZE download/pc/blah4702.exe","550"
"[16/Jun/2001:07:02:43 -0700]","SIZE /download/pc/blah4703.exe","550"

[snip]


"[16/Jun/2001:07:03:05 -0700]","SIZE /download/pc/blah4709.exe","550"
"[16/Jun/2001:07:03:05 -0700]","SIZE download/pc/blah4709.exe","550"
"[16/Jun/2001:07:03:12 -0700]","SIZE /download/pc/blah4710.exe","550"
"[16/Jun/2001:07:03:12 -0700]","SIZE download/pc/blah4710.exe","550"


It was probably set on auto-retry forever, and the program just kept on trying.
When it can't open a file like "/download/pc/blah4709.exe" it tries without leading backslash, which leads to 2 requests for one file. 

They just kept on going for every combination or something?

-Tom

-------------------------------------------------
Web: http://www.powersource.cx --- ICQ#: 12120754
Also check this out:  http://kickme.to/sidewinder
Need some cheats?? http://www.chaos-cheatbase.com
Keep Fido&BBS Alive!     http://skynetbbs.dyns.cx
-------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: