Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re[2]: Identify Method

From: Joris De Donder <joris () security-downloads com>
Date: Wed, 30 May 2001 18:19:33 +0200
Wednesday, May 30, 2001, 2:18:03 PM, you wrote:
IJ> I found the same attempt was made on some of our systems. I first noticed a
IJ> scan
IJ> in our firewall logs last Tuesday or Wednesday (5/22-5/23). After ftp
IJ> service was detected, a login attempt was made by anonymous with password
IJ> guest () here com. We have no need for anonymous login and our servers are
IJ> patched up to the latest security patch, so I didn't worry, just made note.
IJ> I just assumed it was someone looking for anonymous ftp servers. However,
IJ> given your information below, I beginning to suspect that it may be
IJ> something more malicious. Perhaps it is just a program looking for anonymous
IJ> ftp, but why try and created an *.asp file? Anyone else have some input?

They are looking for anonymous ftp servers they can use to store their
warez. Basically they just scan a range with a tool like 'grimsping'
(http://grimsping.cjb.net), upload a 1kb or 1Mb file to check the
speed on your server and use 'space.asp' to see how much free space is
left.


sincerely
Joris De Donder

http://www.Security-Downloads.Com
Previous By Date Next
Previous By Thread Next

Current thread: