RE: [fw-wiz] [OT?] Anybody Recognize These Uploads?

From: Bill Royds (broyds@rogers.com)
Date: 12/24/02


From: "Bill Royds" <broyds@rogers.com>
To: <firewall-wizards@honor.icsalabs.com>
Date: Tue Dec 24 16:25:18 2002

Warez people are generating them to test for availability of open FTP sites. They randomly generate a file of a standard size, then test whether they can retrieve it so that they know the site can be used as a repository for stolen software.
Your site is letting them create it, even though you don't let them retrieve it. Since these are automated scans, you will be getting these regularly.
  It is much better to force every user who wants to send data to have use a standard account and password rather than an anonymous account. You can make the account and password publicly known (still restricting read after write) and you will then prevent the automated searches from finding your site.

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com]On Behalf Of Jim
Seymour
Sent: Tue December 24 2002 09:06
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] [OT?] Anybody Recognize These Uploads?

Hi All,

Maybe kind of off-topic, maybe not.

My FTP server at home allows sand-boxed FTP uploads [1]. Occasionally
I see things in there with all-numeric filenames. They seem to be some
kind of unidentified [2] data. They're all the same size. Here's
what's there currently:

$ ls -l [0-9]*
-rw-rw-r-- 1 ftp ftp 104154 Dec 20 18:21 389.204
-rw-rw-r-- 1 ftp ftp 104154 Dec 21 09:27 449.833
-rw-rw-r-- 1 ftp ftp 104154 Dec 24 08:15 57.605
-rw-rw-r-- 1 ftp ftp 104154 Nov 29 13:30 689.279
-rw-rw-r-- 1 ftp ftp 104154 Dec 23 12:31 881.787

With one exception, these all came from dip.t-dialin.net space. The
other came from gte.net space. All users anon logged in as
"ano@ano.com."

I long ago disallowed FTP access by wanadoo.fr users due to wide-spread
FTP abuse from that space and poor abuse handling by wanadoo.fr. I'm
wondering if this isn't the same kind of thing?

[1] FTP "incoming" directory is write-only. Users can't even get a
    directory listing and file over-writes are prohibited.
[2] Unidentified by "file mumble"

Thanks,
Jim

-- 
Jim Seymour                  | PGP Public Key available at:
jseymour@LinxNet.com         | http://www.uk.pgp.net/pgpnet/pks-commands.html
http://jimsun.LinxNet.com    |
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards