RE: [fw-wiz] [OT?] Anybody Recognize These Uploads?

From: Bill Royds (
Date: 12/24/02

From: "Bill Royds" <>
To: <>
Date: Tue Dec 24 16:25:18 2002

Warez people are generating them to test for availability of open FTP sites. They randomly generate a file of a standard size, then test whether they can retrieve it so that they know the site can be used as a repository for stolen software.
Your site is letting them create it, even though you don't let them retrieve it. Since these are automated scans, you will be getting these regularly.
  It is much better to force every user who wants to send data to have use a standard account and password rather than an anonymous account. You can make the account and password publicly known (still restricting read after write) and you will then prevent the automated searches from finding your site.

-----Original Message-----
[]On Behalf Of Jim
Sent: Tue December 24 2002 09:06
Subject: [fw-wiz] [OT?] Anybody Recognize These Uploads?

Hi All,

Maybe kind of off-topic, maybe not.

My FTP server at home allows sand-boxed FTP uploads [1]. Occasionally
I see things in there with all-numeric filenames. They seem to be some
kind of unidentified [2] data. They're all the same size. Here's
what's there currently:

$ ls -l [0-9]*
-rw-rw-r-- 1 ftp ftp 104154 Dec 20 18:21 389.204
-rw-rw-r-- 1 ftp ftp 104154 Dec 21 09:27 449.833
-rw-rw-r-- 1 ftp ftp 104154 Dec 24 08:15 57.605
-rw-rw-r-- 1 ftp ftp 104154 Nov 29 13:30 689.279
-rw-rw-r-- 1 ftp ftp 104154 Dec 23 12:31 881.787

With one exception, these all came from space. The
other came from space. All users anon logged in as

I long ago disallowed FTP access by users due to wide-spread
FTP abuse from that space and poor abuse handling by I'm
wondering if this isn't the same kind of thing?

[1] FTP "incoming" directory is write-only. Users can't even get a
    directory listing and file over-writes are prohibited.
[2] Unidentified by "file mumble"


Jim Seymour                  | PGP Public Key available at:         |    |
firewall-wizards mailing list

Relevant Pages

  • Re: Unable to abort a FTP command?
    ... I write the following script to retrieve a part of a large file ... def login: ... print 'ftp handle closed' ... elif not chunk: ...
  • FTP with Java
    ... However I had problems knowing which place to put my class or jar file ... - I can't retrieve anything else than a SAVF. ... The object of this class is to start a connection to a FTP ... we provide the delete boolean (6th argument - true if not ...
  • Re: retrieve files from VxWorks
    ... I need to login using ftp to the target to ... retrieve one file. ... I added the int myAuthenticateCallback (Ipftps_session * session, ...
  • Java compilation
    ... In order to execute my class, ... The object of this class is to start a connection to a FTP ... go to the specified directory and retrieve the ... we provide the delete boolean (6th argument - true if not ...
  • Re: Using a Callback Function - ftplib
    ... attempting to connect to an FTP server, retrieve a list of files, and ... The result is even captured in an array. ... have no idea what the difference between a LIST and NLST is within ... FTP. ...