Re: [Full-Disclosure] ftp worm ?
From: Robert Perriero (perrieror1_at_mail.montclair.edu)
Date: 01/15/04
- Previous message: Gregory A. Gilliss: "Re: [Full-Disclosure] UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause]"
- In reply to: Mike Tancsa: "[Full-Disclosure] ftp worm ?"
- Next in thread: Robert Perriero: "Re: [Full-Disclosure] ftp worm ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Mike Tancsa <mike@sentex.net> Date: Thu, 15 Jan 2004 12:18:38 -0500
I would be willing to bet that this is a modified "pub scanner". Similar
to the apache exploit posted, it appears as if it attempts to connect to
machines using known user accounts and passwords. It probably isn't a
worm, but rather someone behind a keyboard attempting to find a place to
store warez.
-Bob
Mike Tancsa wrote:
>
> I have been noticing a flood of ftp attempts to various servers on our
> network recently. Its typically from some dialup / dynamic IP and it
> tries to ftp in to one of my machines as fast as it can with as many
> connections as possible using a fixed ranges of usernames
>
> e.g. in a 2hr period,
>
> grep "FTP LOGIN FAILED" /var/log/authentic | awk '{print $11}' | sort
> | uniq -c | sort -nr
> 293 manager
> 290 public
> 289 private
> 286 default
> 262 security
> 237 1234qwer
> 218 123qwe
> 214 user
> 213 super
> 209 123456
> 197 000000
> 192 Internet
> 156 abcd
> 143 abc123
> 115 abc
> 106 1234567
> 104 123abc
> 102 88888888
> 95 password
> 93 asdfgh
> 88 computer
> 84 5201314
> 83 00000000
> 79 !@#$%^&*()
> 77 654321
> 76 888888
> 73 123asd
> 71 11111
> 71 !@#$%^&*
> 68 passwd
> 64 !@#$%^&*(
> 61 111111
> 58 asdf
> 57 sql
> 57 database
> 51 111
> 49 !@#$%
> 45 pass
> 45 !@#$
> 43 54321
> 42 server
> 42 !@#$%^
> 35 sybase
> 34 oracle
> 34 12345678
> 34 1
> 31 secret
> 27 test
> 27 11111111
> 18 admin
> 15 anyone
> 10 !@#$%^&
>
>
> This looks a lot like http://www.f-secure.com/v-descs/muma.shtml but I
> have not been able to find a description/variant that uses ftp. Is
> this a new version of muma ? Or just some worm / virus that uses the
> same list of users.
> --------------------------------------------------------------------
> Mike Tancsa, tel +1 519 651 3400
> Sentex Communications, mike@sentex.net
> Providing Internet since 1994 www.sentex.net
> Cambridge, Ontario Canada www.sentex.net/mike
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Gregory A. Gilliss: "Re: [Full-Disclosure] UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause]"
- In reply to: Mike Tancsa: "[Full-Disclosure] ftp worm ?"
- Next in thread: Robert Perriero: "Re: [Full-Disclosure] ftp worm ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
