Security Incidents mailing list archives
Re: 'FrogEater'
From: "Greg Owen" <gowen () swynwyr com>
Date: Wed, 16 May 2001 20:28:33 -0400
At the moment I'm responsible for an ftp site which allows anonymous write access to a directory to allow development partners to upload files. They have also been hit with warez activity similar to FrogEater, which 1K and 1MB test files being uploaded, followed by various directories (.tmp, tagged, 010305102214p etc.) being created and warez uploaded. I wonder whether there is any way (perhaps using network/host ids signatures) to detect this sort of activity and block the intruding warez d00d, or at
least
alert a sysadmin?
I was running a similar site; it allowed anon upload but not download.
I had lots of warez activity, the tools creating directories, and the
occasional d00d uploading before he realized he couldn't download again. I
finally configured my FTP daemon to log all commands and ran 'tail -f log |
program' where program looked for suspicious commands ('STOR 1mb', 'PASS
l33ch', etc. etc.) When it got a match it dropped the offender into
ipchains. The amount of time I spent cleaning up after them dropped
dramatically.
Unfortunately, I don't know of any FTP daemons that will do this on
their own. It would be a nice way to shut out the automated tools.
--
gowen -- Greg Owen -- gowen () swynwyr com
79A7 4063 96B6 9974 86CA 3BEF 521C 860F 5A93 D66D
Current thread:
- Re: 'FrogEater' James W. Abendschan (May 16)
- RE: 'FrogEater' Richard Bartlett (May 16)
- RE: 'FrogEater' Mike Batchelor (May 17)
- Re: 'FrogEater' Greg Owen (May 17)
- RE: 'FrogEater' Richard Bartlett (May 16)