Security Incidents mailing list archives

RE: ano () ano com ftpd dip.t-dialin.net

From: "Rick Darsey" <rdarsey () aims1 com>
Date: Thu, 7 Nov 2002 07:50:19 -0600




Although I have not seen this particular item, I have blocked any access
from
dip-t-dial.net to any of my servers. Over the last 2 years, I have seen
repeated
attempts to log into my ftp servers using various exploits, and attempts to
gain
access to these servers via telnet.  I have notified the admins at
"dipsters" several
times, with no success.  It would seem that there are a number of
hackers/crackers that
work from dip-t, or spoof the IP block, and the admins do not seem to think
it is
necessary to do anything about it. Another one is wanadoo.fr, I have seen
the same
pattern of attempts from them as well.

Rick





-----Original Message-----
From: Owen McCusker [mailto:mccusker () sonalysts com]
Sent: Wednesday, November 06, 2002 3:50 PM
To: incidents () securityfocus com
Subject: ano () ano com ftpd dip.t-dialin.net


I have seen some interesting access on a few anonymous ftp servers
logs.

The following sequence occurs:
1) The user logs on anonymously with the username ano () ano com.
2) user transfers a repeating binary file XXX.XXX where the X is a digit
(e.g. 471.995)
    the file has a repeating pattern to it.
    the file size is: 104154 (bytes)
    file name was: 471.995 (maybe a sequencing number for reassembly...)

    constents look like: (via text editor)


.3;ØÎg3pBØÇ=´g?Ãä?[o¼gÃò?«gÝÃA?[\ÃO?[Ã;g34?[Ãdr3.............
    (maybe    encrypted text?)
3) The user accesses the file later on.

The users are from dip.t-dial.net, the user RIPE the description
includes:
    Deutsche Telekom AG, Internet Service Provider, CeBIT 99

I am not sure what these users are doing. Maybe they are trying
to setup someway to perform "store and forward" services
via anonymous FTP.

Maybe this is somehow related to the same scheme devised
using iroffer ( aka DCC bot).

Has anyone else seen this type of activity from dip.t-dialin.net
or dipsters for short. ;-)?

Owen




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

ano () ano com ftpd dip.t-dialin.net Owen McCusker (Nov 06)
- Re: ano () ano com ftpd dip.t-dialin.net Ralf G. R. Bergs (Nov 07)
  - Re: ano () ano com ftpd dip.t-dialin.net Rainer Duffner (Nov 07)
  - Re: ano () ano com ftpd dip.t-dialin.net Dave Laird (Nov 07)
    - Re: ano () ano com ftpd dip.t-dialin.net TOK (Nov 08)
    - RE: ano () ano com ftpd dip.t-dialin.net David Gillett (Nov 08)
- Re: ano () ano com ftpd dip.t-dialin.net Skip Carter (Nov 07)
- Re: ano () ano com ftpd dip.t-dialin.net Moo (Nov 07)
  - RE: ano () ano com ftpd dip.t-dialin.net Bojan Zdrnja (Nov 09)
- RE: ano () ano com ftpd dip.t-dialin.net Rick Darsey (Nov 07)
- Re: ano () ano com ftpd dip.t-dialin.net Valdis . Kletnieks (Nov 07)
- <Possible follow-ups>
- RE: ano () ano com ftpd dip.t-dialin.net Owen McCusker (Nov 12)