RE: Trojan of somesort - Update
From: James C Slora Jr (Jim.Slora_at_phra.com)
Date: 05/28/04
- Previous message: Lachniet, Mark: "RE: Trojan of somesort - Update"
- In reply to: Harlan Carvey: "Re: Trojan of somesort - Update"
- Next in thread: Harlan Carvey: "RE: Trojan of somesort - Update"
- Reply: Harlan Carvey: "RE: Trojan of somesort - Update"
- Reply: Gadi Evron: "Re: Trojan of somesort - Update"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <incidents@securityfocus.com> Date: Thu, 27 May 2004 18:15:26 -0400
Harlan Carvey wrote Thursday, May 27, 2004 15:27
> While it's true that the "tagged" FTP sites were filled w/
> warez, my own investigations into these events showed quite
> clearly that not a single site was "hacked".
Thanks for mentioning this.
Just to be clear, Bob the Builder's box was hacked, not just tagged. But
BtB's name suggests he is more than qualified to repair or rebuild it - YES
HE CAN! :).
> Rather, the
> automated script would look for FTP sites that allowed an
> anonymous user to write to the drive (check was done using
> "mkdir" command). As the script was automated, it simply
> rm'd the directory it created (if successful) and recorded
> the IP address for later use.
Yup. Any Internet-exposed FTP server that allows anonymous reading and
writing in the same directory will get eventually get tagged and start
getting warez libraries. That doesn't mean that it is hacked, though.
Tagging means marking, and does not imply any hack necessarily occurred.
Tagging scripts and tools like Grim's Ping normally just look for anonymous
FTP servers and try to create tag directories or files. Tag directories
often try to be harder to delete so they will still be there later and will
protect the files under them, or the tag directories might just be logged
and deleted as Harlan mentioned. Tag files are usually labeled with the size
and tag, and are used for speed tests.
The "tags" themselves don't hurt anything - they are just a marker unique to
the crew that found the open server.
So a tagged server won't necessarily show any trojans or odd open ports,
because often the server is the victim of warez abuse but not hacking.
Search for GPUSER (string contained in the default "anonymous" password in
Grim's Ping) in a few months of any anonymous FTP server log and there
should be several attempts to "tag" by creating dirs. Any other mkdir
entries might also show tagging attempts.
The taggers often will create a directory that is deeply nested and that has
characters in it to prevent many methods of deleting or even seeing them
from Windows. These are just file naming tricks that may make the server
appear hacked when it isn't. RMDIR /S on the top-level 8.3 name at the
command line normally takes care of them without even a reboot. Then
rearchitect anonymous login to eliminate the ability to both read and write
files in any given directory, and you may be finished.
- Previous message: Lachniet, Mark: "RE: Trojan of somesort - Update"
- In reply to: Harlan Carvey: "Re: Trojan of somesort - Update"
- Next in thread: Harlan Carvey: "RE: Trojan of somesort - Update"
- Reply: Harlan Carvey: "RE: Trojan of somesort - Update"
- Reply: Gadi Evron: "Re: Trojan of somesort - Update"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
