Snort mailing list archives
RE: Anomalous packet logged by Snort
From: Safka <safka () triad rr com>
Date: 07 Apr 2002 20:44:11 -0400
The sting Dgpuser () home com is a signature of the Grim's Ping public ftp scanning tool. This tool prepends the string "gpuser" with a random upper case letter. It then checks for the existence of directories and which of those might allow writing as shown by the attempt to MKD in the log provided. The tool is configurable and also acts as a port and proxy scanner. http://grimsping.cjb.net/
Here's a tcpshow dump of the packet:Packet 110 TIME: 06:35:00.865192 IP: 62.254.50.140 -> xxx.xxx.xxx.xxx hlen=20 TOS=10 dgramlen=159id=0000MF/DF=0/0 frag=0 TTL=240 proto=TCP cksum=0000 TCP: port 2929 -> 21 seq=2905996287 ack=1728071789 hlen=20 (data=119) UAPRSF=011000 wnd=5840 cksum=0000 urg=0 DATA: QUIT. xxx-xxxxxxPASS Dgpuser () home com. CWD /pub/. MKD 020407143116p. CWD /public/. CWD /pub/incoming/. CWD /incoming/.
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Anomalous packet logged by Snort Bill McCarty (Apr 07)
- Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- Re: Anomalous packet logged by Snort Dan Hawrylkiw (Apr 14)
- Re: Anomalous packet logged by Snort Bill McCarty (Apr 07)
- Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- Re: Anomalous packet logged by Snort Bill McCarty (Apr 07)
- <Possible follow-ups>
- RE: Anomalous packet logged by Snort Hawrylkiw, Dan G (Apr 08)
- Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- RE: Anomalous packet logged by Snort Safka (Apr 14)