Re: FTP scans from wanadoo.fr - MOre info
From: Replugge [Rod] (replugge@alcoholico.org)Date: 12/18/01
- Previous message: Barber, Chris: "RE: FTP scans from wanadoo.fr"
- In reply to: dr john halewood: "Re: FTP scans from wanadoo.fr"
- Next in thread: Pieter-Bas IJdens: "Re: FTP scans from wanadoo.fr - MOre info"
- Next in thread: Barber, Chris: "RE: FTP scans from wanadoo.fr"
- Reply: Pieter-Bas IJdens: "Re: FTP scans from wanadoo.fr - MOre info"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Replugge [Rod]" <replugge@alcoholico.org> To: incidents@securityfocus.com Date: 18 Dec 2001 19:58:28 +0100
UFFF .. it seems like this people is looking for iis vulnerabilities all
over the internet.. this look like some mass defacement tools. I
remember a group called poizonb0x used some of those. at least now we
know what they where looking for...
i found some interesting stuff looking around.
"USER ftp" 331 -
"PASS mozilla@" 230 -
"SITE EXEC %020d|%.f%.f|" 500 -
Q: Have there been discovered any vulnerabilities affecting Microsoft's
FTP Services? (If not we probably got a new one).
that looks like some ftp vulnerability on IIS ... i downloaded some
statics made by other users:
Top 5:
1: t-dialin.net (302 attempts, 30 hosts)
2: unresolved (280 attempts)
3: wanadoo.fr (40 attempts, from 10 hosts)
4: aol.com (30 attempts, from 3 hosts)
5: telia.com (20 attempts from 1 host)
I believe this could be a mass defacement tool or perhaps we could be
talking about a worm that infects IIS boxes (i don't think so)... lots
of the people have been geting this scans since the beginning of
October.
On Tue, 2001-12-18 at 11:49, dr john halewood wrote:
> There's a distinct pattern to these scans from wanadoo. Looking through some
> logs (I allow anonymous login but with read-only access on one box). I've
> noticed the following:
> the anonymous login password: frequently [A-Z]gpuser@home.com
> an attempt to cd to some directories: /ftproot, /wwwroot, /_vti_bin,
> /_vti_cnf, /cgi-bin, amongst others: the pattern varies, but all requests
> take place within a second, so it's definitely scripted. This is followed by
> an attempt to create a number of directories with a name such as
> 011203022432p, where the first 6 digits are YYMMDD.
>
> Anyone recognise the tool?
>
> Cheers
> john
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
---- /* Rodrigo Gutierrez <rodrigo@trustix.com> Trustix AS - http://www.trustix.com */
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Barber, Chris: "RE: FTP scans from wanadoo.fr"
- In reply to: dr john halewood: "Re: FTP scans from wanadoo.fr"
- Next in thread: Pieter-Bas IJdens: "Re: FTP scans from wanadoo.fr - MOre info"
- Next in thread: Barber, Chris: "RE: FTP scans from wanadoo.fr"
- Reply: Pieter-Bas IJdens: "Re: FTP scans from wanadoo.fr - MOre info"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
