RE: 'FrogEater'

["Richard Bartlett" <richard () hackerimmunity com>]

At the moment I'm responsible for an ftp site which allows anonymous write
access to a directory to allow development partners to upload files.  They
have also been hit with warez activity similar to FrogEater, which 1K and
1MB test files being uploaded, followed by various directories (.tmp,
tagged, 010305102214p etc.) being created and warez uploaded.  I wonder
whether there is any way (perhaps using network/host ids signatures) to
detect this sort of activity and block the intruding warez d00d, or at least
alert a sysadmin?

Any ideas?

Richard Bartlett
Hacker Immunity Ltd

(I'm currently working on setting up permissions so the uploadable
directories are execute only; i.e. you can't see it in dir/ls, but you can
cd to it, and the dir names will be suitably obscure to prevent them being
guessed).

-----Original Message-----
From: James W. Abendschan [mailto:jwa () jammed com]
Sent: 12 May 2001 02:58
To: incidents () securityfocus com
Subject: Re: 'FrogEater'


On Tue, 24 Apr 2001, James W. Abendschan wrote:
> This is not a security incident as much as it's fingerprints of warez
> d00d activity, but I was curious if anyone else has seen this tool.

[ .. ]

Well, while the general consensus was that this was not a tool,
I'm still not convinced it wasn't something like Grim's Ping.
( http://grimsping.cjb.net/ )

Chris G. pointed me to a warez d00d discussion site where someone going
by the handle of FrogEater hangs out:

  http://www.netknowledgebase.com/forum/bb_profile.php?mode=view&user=61

Someone else suggested using a FTP search engine instead of google
to hunt for these things (doh!).  While 'FrogEater' didn't show up,
the '1MB.TEST' file did:


http://www.ftpfind.com/search.php?query=1MB.TEST&method=iss&limdom=&limpath=
&sort=date&ppage=500&x=23&y=4

.. the earliest seems to be 12 April 2000, but who knows how complete
ftpfind.com is :-)

warez.. sigh..

James