Snort mailing list archives

Re: Anomalous packet logged by Snort

From: Dan Hawrylkiw <idontcheckthisaccount () panira net>
Date: Sun, 07 Apr 2002 12:16:39 -0700

The packets were logged correctly. This is the signature of Grim'sPing- a scanning tool that looks for FTP servers with directories thatanonymous users can write to (In other words- new warez sites). The toollogs in as anonymous and authenticates with Xgpuser () home com (where X isany uppercase letter). It tries to find and write to commonly used FTPdirectories and reports successes to the attacker..


The author claims its purpose is for "spreading wealth":
___

>>This program was released in hopes that the general public would get>>hooked on scanning public sites and would help "spread the wealth."

___

The tool's homepage is http://grimsping.cjb.net/

/Dan Hawrylkiw
CISSP, GCIA, RHCE
Phoenix Area Network Intrusion Research Alliance

_____________________________________________________________
Bill McCarty wrote:

Today, I noticed an FTP attack among my Snort alerts. I see such attacksevery day or two and follow them up diligently. The only hosts on mynetwork that run FTP are honeypots, so such attacks are never falsepositives. When I investigated, I found one rather odd packet.
Here's a tcpshow dump of the packet:
Packet 110
TIME:   06:35:00.865192
IP: 62.254.50.140 -> xxx.xxx.xxx.xxx hlen=20 TOS=10 dgramlen=159
id=0000
        MF/DF=0/0 frag=0 TTL=240 proto=TCP cksum=0000
 TCP:   port 2929 -> 21 seq=2905996287 ack=1728071789
        hlen=20 (data=119) UAPRSF=011000 wnd=5840 cksum=0000 urg=0
DATA:   QUIT.
        xxx-xxxxxxPASS Dgpuser () home com.
        CWD /pub/.
        MKD 020407143116p.
        CWD /public/.
        CWD /pub/incoming/.
        CWD /incoming/.
The packet has several unusual features. Prominent among them are thepresence of the string xxx-xxxxxx, which I've obfuscated. The actualvalue of the string is the name of a sensitive host within my internalnetwork. Since no externally visible DNS server knows the name of thishost, the presence of this string concerns me.
But, I begin to suspect that the packet has not been correctly logged.For one thing, as I recall, the QUIT command should mark the end of anFTP session. And, I don't recall that the syntax of the FTP PASS commandallows a host name in front of the PASS keyword. Also, I notice that thepacket ID and checksum are both 0.
Q: Has anyone experienced badly logged packets? Or, is it more likelythat the packet was correctly logged, despite possible evidence to thecontrary?
Thanks!

---------------------------------------------------
Bill McCarty

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Anomalous packet logged by Snort Bill McCarty (Apr 07)
- Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- Re: Anomalous packet logged by Snort Dan Hawrylkiw (Apr 14)
  - Re: Anomalous packet logged by Snort Bill McCarty (Apr 07)
    - Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- <Possible follow-ups>
- RE: Anomalous packet logged by Snort Hawrylkiw, Dan G (Apr 08)
  - Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- RE: Anomalous packet logged by Snort Safka (Apr 14)