RE: FTP scans from wanadoo.fr

From: Barber, Chris (cbarber@criticalIP.com)
Date: 12/18/01 

From: "Barber, Chris" <cbarber@criticalIP.com>
To: incidents@securityfocus.com
Date: Tue, 18 Dec 2001 13:24:52 -0500

I have just looked at the few samples that have appeared here but it also
looks as if the last 6 digits (exclude the "p") may also be a time HHMMSS
and the "p" might indicate PM.

Chris.

-----Original Message-----
From: dr john halewood [mailto:john@frumious.unidec.co.uk]
Sent: Tuesday, December 18, 2001 5:50 AM
To: aaron@aaronwolfe.com; incidents@securityfocus.com
Subject: Re: FTP scans from wanadoo.fr

There's a distinct pattern to these scans from wanadoo. Looking through some

logs (I allow anonymous login but with read-only access on one box). I've
noticed the following:
the anonymous login password: frequently [A-Z]gpuser@home.com
an attempt to cd to some directories: /ftproot, /wwwroot, /_vti_bin,
/_vti_cnf, /cgi-bin, amongst others: the pattern varies, but all requests
take place within a second, so it's definitely scripted. This is followed by

an attempt to create a number of directories with a name such as
011203022432p, where the first 6 digits are YYMMDD.

Anyone recognise the tool?

Cheers
john

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • RE: A small quandary
    ... This list is provided by the SecurityFocus ARIS analyzer service. ... and tracking system please see: http://aris.securityfocus.com ... For more information on this free incident handling, management ...
    (Incidents)
  • RE: Anyone seen this before?
    ... The answer to this is, in task manager, you can right click on any app ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Code Red - A Possible Origin?
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Code Red - A Possible Origin?
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: fbi.gov weirdness?
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
Quantcast