Snort mailing list archives

RE: Anomalous packet logged by Snort

From: Safka <safka () triad rr com>
Date: 07 Apr 2002 20:44:11 -0400

The sting Dgpuser () home com is a signature of the Grim's Ping public ftp
scanning tool. This tool prepends the string "gpuser" with a random
upper case letter. It then checks for the existence of directories and
which of those might allow writing as shown by the attempt to MKD in the
log provided. The tool is configurable and also acts as a port and proxy
scanner. http://grimsping.cjb.net/

Here's a tcpshow dump of the packet:

Packet 110
TIME:   06:35:00.865192
  IP:   62.254.50.140 -> xxx.xxx.xxx.xxx hlen=20 TOS=10 dgramlen=159

id=0000

        MF/DF=0/0 frag=0 TTL=240 proto=TCP cksum=0000
 TCP:   port 2929 -> 21 seq=2905996287 ack=1728071789
        hlen=20 (data=119) UAPRSF=011000 wnd=5840 cksum=0000 urg=0
DATA:   QUIT.
        xxx-xxxxxxPASS Dgpuser () home com.
        CWD /pub/.
        MKD 020407143116p.
        CWD /public/.
        CWD /pub/incoming/.
        CWD /incoming/.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Anomalous packet logged by Snort Bill McCarty (Apr 07)
- Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- Re: Anomalous packet logged by Snort Dan Hawrylkiw (Apr 14)
  - Re: Anomalous packet logged by Snort Bill McCarty (Apr 07)
    - Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- <Possible follow-ups>
- RE: Anomalous packet logged by Snort Hawrylkiw, Dan G (Apr 08)
  - Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- RE: Anomalous packet logged by Snort Safka (Apr 14)