Security Incidents mailing list archives
Re: Attempted FTP intrusion
From: Tillmann Werner <tillmann.werner () gmx de>
Date: Wed, 31 Jan 2007 23:09:16 +0100
David,
Although none of the login attempts succeeded, on some machines it also attempted to remove a directory named "sarcaxxo". This links it to incidents reported by other sites as far back as the beginning of November 2006. Nobody yet seems to know what's behind this.
Looks pretty much like the "inode ftp scanner" (attached). As you can see, it tries to delete the mentioned directory after a failed login attempt. However, the code is really lame - this his how you should not do it. Regards, Tillmann
Attachment:
ftp_scanner.c
Description:
Current thread:
- Tracking down random ICMP Craig Chamberlain (Jan 22)
- Re: Tracking down random ICMP Kyle Maxwell (Jan 23)
- Re: Tracking down random ICMP Valdis . Kletnieks (Jan 23)
- Re: Tracking down random ICMP Jose Nazario (Jan 23)
- Re: Tracking down random ICMP Bojan Zdrnja (Jan 24)
- Re: Tracking down random ICMP Javier Fernández-Sanguino (Jan 25)
- Re: Tracking down random ICMP Valdis . Kletnieks (Jan 25)
- Attempted FTP intrusion David Gillett (Jan 31)
- Re: Attempted FTP intrusion Tillmann Werner (Jan 31)
- Re: Tracking down random ICMP Jose Nazario (Jan 23)