Security Incidents mailing list archives

What's the tool?

From: Sean Brown <srbrown () APPGEO COM>
Date: Tue, 20 Mar 2001 11:31:48 -0500

Greetings,
I've been seeing a number of, apparently, automated scans for FTP.  When
an FTP site is found, the tool logs on anonymously and attempts to
create a directory in a couple of different places.  If unsuccessful, it
logs off.   The directory it tries to create is named for the date/time
of the probe, i.e. 010320101054p for March 20, 2001, 10:10:54pm.  Below
are some log excerpts showing the probe.  All it appears to be doing is
looking for upload capabilities on anonymous FTP sites (future warez
locations?).  The source locations for the probes hitting me have been
France and Germany.  IP header signatures indicate that the tool may be
Windows based.

Does anyone know what this tool is?

Log Entries:
============
Mar 20 04:37:49 62.226.81.91:3174 -> x.y.z.195:21 SYN ******S*
Mar 20 04:37:49 62.226.81.91:3179 -> x.y.z.200:21 SYN ******S*
<--snip-->

Snort IDS excerpt:
[**] FTP SYN probe [**]
03/20-04:37:46.411833 0:60:1D:20:F7:5F -> 0:50:4:B0:A:74 type:0x800
len:0x42
62.226.81.91:3174 -> x.y.z.195:21 TCP TTL:115 TOS:0x0 ID:580
IpLen:20 DgmLen:52 DF
******S* Seq: 0xD3755505  Ack: 0x0  Win: 0xFF3C  TcpLen: 32
TCP Options (6) => MSS: 536 NOP WS: 2 NOP NOP SackOK

[**] FTP SYN probe [**]
03/20-04:37:46.664004 0:60:1D:20:F7:5F -> 0:50:4:B0:A:74 type:0x800
len:0x42
62.226.81.91:3179 -> x.y.z.200:21 TCP TTL:115 TOS:0x0 ID:591
IpLen:20 DgmLen:52 DF
******S* Seq: 0xD37ABB42  Ack: 0x0  Win: 0xFF3C  TcpLen: 32
TCP Options (6) => MSS: 536 NOP WS: 2 NOP NOP SackOK

Activity log excerpt:
Mar 20 04:37:53 <my_site> ftpd[12992]: ANONYMOUS FTP LOGIN FROM
p3EE2515B.dip.t-dialin.net [62.226.81.91], guest () here com
Mar 20 04:37:55 <my_site> ftpd[12992]: anonymous(guest () here com) of
p3EE2515B.dip.t-dialin.net [62.226.81.91] tried to create directory
/home/ftp/pub/010320101054p
Mar 20 04:37:56 <my_site> ftpd[12992]: anonymous(guest () here com) of
p3EE2515B.dip.t-dialin.net [62.226.81.91] tried to create directory
/home/ftp/010320101055p
Mar 20 04:37:57 <my_site> ftpd[12992]: FTP session closed

Thanks,
Sean
--
~~~~~~~~~~~~~~~
Sean R. Brown - srbrown () appgeo com
System Administrator   Applied Geographics, Inc.   Boston, MA

Current thread:

What's the tool? Sean Brown (Mar 20)
- Re: What's the tool? Krister (Mar 20)
- Re: What's the tool? H C (Mar 20)
- <Possible follow-ups>
- Re: What's the tool? gattaca (Mar 21)
- Re: What's the tool? Greg Owen (Mar 21)