Re: FTP scans from wanadoo.fr - MOre info

From: Pieter-Bas IJdens (pbijdens@emea.mi4.org.uk)
Date: 12/19/01 

From: "Pieter-Bas IJdens" <pbijdens@emea.mi4.org.uk>
To: <incidents@securityfocus.com>
Date: Wed, 19 Dec 2001 12:15:59 +0100

> "USER ftp" 331 -
> "PASS mozilla@" 230 -
> "SITE EXEC %020d|%.f%.f|" 500 -
>
> Q: Have there been discovered any vulnerabilities affecting Microsoft's
> FTP Services? (If not we probably got a new one).
>
> that looks like some ftp vulnerability on IIS ... i downloaded some
> statics made by other users:
>
> Top 5:
> 1: t-dialin.net (302 attempts, 30 hosts)
<<SNAP>>
>
> I believe this could be a mass defacement tool or perhaps we could be
> talking about a worm that infects IIS boxes (i don't think so)... lots
> of the people have been geting this scans since the beginning of
> October.

Yes. I remember posting these log entries and the top 5 to the dshield.org
mailing list on October 19th. Since then a lot has changed. A new version of
grim's ping has become available, and also recently I saw the exact same
patterns of these grims ping scans in my logs, but simultaneously from 10
different IPs (spoofed?).

The mass defacement tool or worm you are talking about AFAIK does not exist.
These scans are performed by people looking for weakly configured FTP
servers they can put their warez on. They don't particularly care about the
present content of the site and are careful not to disturb it because they
don't want to attract attention. They prefer FTP servers on Microsoft
systems because they tend to be badly configured and it's easy to hide their
stuff on it (http://www.xs4all.nl/~liew/startdivx/endofdeleters.txt). From
the ftp command logs I notice that all that is done usually is log in.
Rarely other commands are attempted, so I assume they just log the system
type and possible public access.

See http://pieter-bas.ijdens.com/logs/ftpconnects.txt for a full listing of
scanning IPs since the beginning of september, and
http://pieter-bas.ijdens.com/logs/ftp_full.txt.gz if you are interested to
see what these people try for commands on the scanned sites.

New stats (last ones were Oct 19 2001): t-dialin.net at 687 attempts,
wanadoo.fr at 164 attempts.

  Pieter-Bas

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: How to disable outgoing FTP service?
    ... > What is the best solution to disable outgoing FTP services while allow ... > incoming FTP services? ... Another option you have is to remove the FTP command from the DCLTABLEs. ...
    (comp.os.vms)
  • Re: Windows 2003 Error need help
    ... I see these often when an active, Internet-facing FTP server is running. ... Many pubsters will scan public IPs for FTP services that respond on the default ports. ... One of the user names they use in a dictionary attack is the common Windows administrator account. ...
    (microsoft.public.windows.server.networking)
  • Win2003 FTP Service does not work with images directory???
    ... I am using Windows Server 2003 FTP services. ... - website 2 ...
    (microsoft.public.windows.server.general)
  • Re: Running FTP wiyhout IIS
    ... >and run FTP protocol without the instalation of IIS. ... >Or if is posible to install FTP services from IIS, ... You can install only the FTP service component of IIS if you wish. ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: Mime type?
    ... options for not sending these commands. ... >>I was into the Fetch FTP web site and this is what I found - it looks ... >> My server does not recognize them. ...
    (microsoft.public.inetserver.iis)