Re: FTP scans from wanadoo.fr
From: dr john halewood (john@frumious.unidec.co.uk)Date: 12/18/01
- Previous message: Aaron Wolfe: "wanadoo.fr's ip blocks"
- In reply to: Aaron Wolfe: "FTP scans from wanadoo.fr"
- Next in thread: Alexandre Pinto: "Re: FTP scans from wanadoo.fr"
- Reply: Alexandre Pinto: "Re: FTP scans from wanadoo.fr"
- Reply: Replugge [Rod]: "Re: FTP scans from wanadoo.fr - MOre info"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: dr john halewood <john@frumious.unidec.co.uk> To: <aaron@aaronwolfe.com>, <incidents@securityfocus.com> Date: Tue, 18 Dec 2001 10:49:51 +0000
There's a distinct pattern to these scans from wanadoo. Looking through some
logs (I allow anonymous login but with read-only access on one box). I've
noticed the following:
the anonymous login password: frequently [A-Z]gpuser@home.com
an attempt to cd to some directories: /ftproot, /wwwroot, /_vti_bin,
/_vti_cnf, /cgi-bin, amongst others: the pattern varies, but all requests
take place within a second, so it's definitely scripted. This is followed by
an attempt to create a number of directories with a name such as
011203022432p, where the first 6 digits are YYMMDD.
Anyone recognise the tool?
Cheers
john
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Aaron Wolfe: "wanadoo.fr's ip blocks"
- In reply to: Aaron Wolfe: "FTP scans from wanadoo.fr"
- Next in thread: Alexandre Pinto: "Re: FTP scans from wanadoo.fr"
- Reply: Alexandre Pinto: "Re: FTP scans from wanadoo.fr"
- Reply: Replugge [Rod]: "Re: FTP scans from wanadoo.fr - MOre info"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
