RE: Identify Method

["John Spinks" <jspinks () waitrose com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have also suffered the same problem when an FTP server located in
an isolated IP block, with no DNS entries for any of the addresses,
was discovered. Father Christmas visited me one Sunday evening and
left me with several gigabytes of MP3 files (very poor taste in music
I must add). It took him 14 hours to upload the files, and me only 5
minutes to delete and secure. Since that day, I receive polls from
addresses trying to write to my server every 15 minutes. None of them
gets very far.

John
Former music supplier to the masses.


- -----Original Message-----
From: Jeff Peterson [mailto:Jpeterson () btiis net]
Sent: 30 May 2001 16:46
To: 'Ingersoll, Jared'; 'CL: Nelson, Jeff';
'FOCUS-MS () SECURITYFOCUS COM'
Cc: incidents () securityfocus com
Subject: RE: Identify Method


Jeff has been tagged for th warez scene.  I had this happen to my FTP
server.  I finally had to make the whole site read-only.  I had the
very
same passwords used, along with others, such as "uberdeleter".  Your
address
will appear on a site known to the warez people as SWAA.  A brief
description of available files may be included in the posting.  In
the near
future people in the warez know will start using your site for
storage, they
may download files, or just start randomly deleting files.

You should tighten security very much, and very soon.  

Jeff Peterson,
Former warez victim.

P.S.  Is it wrong to slip a trojan into the stuff they download, and
hit
them back?  :)

- -----Original Message-----
From: Ingersoll, Jared [mailto:JIngersoll () cswv com]
Sent: Wednesday, May 30, 2001 5:18 AM
To: 'CL: Nelson, Jeff'; 'FOCUS-MS () SECURITYFOCUS COM'
Cc: incidents () securityfocus com
Subject: RE: Identify Method


Jeff,

I found the same attempt was made on some of our systems. I first
noticed a
scan
in our firewall logs last Tuesday or Wednesday (5/22-5/23). After ftp
service was detected, a login attempt was made by anonymous with
password
guest () here com. We have no need for anonymous login and our servers
are
patched up to the latest security patch, so I didn't worry, just made
note.
I just assumed it was someone looking for anonymous ftp servers.
However,
given your information below, I beginning to suspect that it may be
something more malicious. Perhaps it is just a program looking for
anonymous
ftp, but why try and created an *.asp file? Anyone else have some
input?

Jared
- -----Original Message-----
From: CL: Nelson, Jeff [mailto:JNelson () cmccontrols com]
Sent: Tuesday, May 29, 2001 10:28 AM
To: 'FOCUS-MS () SECURITYFOCUS COM'
Subject: Identify Method


Good day,

Time to admit complete ignorance here. Some person created several
directories in _vti_pvt. I've tried to replicate what I have in my
IIS logs
to no avail. Here is what I see:

USER    anonymous       331
PASS    anonymous () on the net 230
MKD     /_vti_pvt/+.+tagged+4+SWAA      257
QUIT    -       257

Then another 14 minutes later:

USER anonymous 331
PASS guest () here com 230
created /1kbtest.ptf 250
DELE /1kbtest 250
created /space.asp 226
DELE /space.asp 250

First, what is going on? How were they able to do this? When I try I
get an
error stating path cannot be found.

Second, (and I think I've asked this before) is there a resource that
goes
in-depth to what is taking place? Most of the material I have is for
Unix
systems, not IIS.

Regards,

Jeff

Jeffrey L. Nelson
Network Manager; Cleveland Motion Controls
jnelson () cmccontrols com; 216-642-5147
- ----
"The musical notes are only five in number but their melodies, are so
numerous that one cannot visualize them all."   -- Sun Tzu


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOxXf3QqQrk48G3fnEQIREgCg4OkGGWz/s6A8jOewcIf/0wVyLc0AoMU7
aOE7ZxUbg/U1mJ7TgcxBAOzq
=AYHF
-----END PGP SIGNATURE-----