Security Incidents mailing list archives

Re: What's the tool?

From: Greg Owen <gowen () DIGITALGOODS COM>
Date: Tue, 20 Mar 2001 17:49:52 -0500

I've been seeing a number of, apparently, automated scans for
FTP.  When an FTP site is found, the tool logs on anonymously
and attempts to create a directory in a couple of different
places.  If unsuccessful, it logs off.   The directory it
tries to create is named for the date/time of the probe, i.e.
010320101054p for March 20, 2001, 10:10:54pm.

...

Does anyone know what this tool is?


        I think that may be Grim's Ping:

http://grimsping.cjb.net/index.htm

        I get scans from those people all the time.  I ended up writing a
script to monitor the FTP log and to drop anybody tooling the site into the
firewall deny list just so that I wouldn't have to clean up after them.  And
yes, most of them are european:

DENY 213.51.164.222
DENY a213-84-22-28.adsl.xs4all.nl
DENY AMontpellier-201-1-2-178.abo.wanadoo.fr
DENY baits-210-13.reshall.umich.edu
DENY c126114.upc-c.chello.nl
DENY campusb1184nuts.unimaas.nl
DENY cr951252-a.ym1.on.wave.home.com
DENY d119237.upc-d.chello.nl
DENY D5E0556A.kabel.telenet.be
DENY d83b3212.dsl.flashcom.net
DENY e166159.upc-e.chello.nl
DENY e168164.upc-e.chello.nl
DENY gosax1-094.dialup.optusnet.com.au
DENY ipd54b25b8.free.wxs.nl
DENY p3E9BB6CD.dip.t-dialin.net
DENY p3E9E815F.dip.t-dialin.net
DENY qn-212-127-131-191.quicknet.nl
DENY qn-212-127-136-178.quicknet.nl
DENY sdcax47-082.dialup.optusnet.com.au
DENY w250.z064000179.dfw-tx.dsl.cnc.net

--
        gowen -- Greg Owen -- gowen () DigitalGoods com
              SoftLock.com is now DigitalGoods!

Current thread:

What's the tool? Sean Brown (Mar 20)
- Re: What's the tool? Krister (Mar 20)
- Re: What's the tool? H C (Mar 20)
- <Possible follow-ups>
- Re: What's the tool? gattaca (Mar 21)
- Re: What's the tool? Greg Owen (Mar 21)