Security Basics mailing list archives

RE: Anyone know what scanner this is?

From: "Ian Lyte" <ilyte () alias666 freeserve co uk>
Date: Mon, 16 Dec 2002 17:11:51 -0000
Pez,

        Googling reveals http://eyeonsecurity.org/papers/pubscanning.pdf and says
its Grim's Ping (with default PASS changed (usually guest () here com)).

        Hope that helps.

Ian




-----Original Message-----
From: Pez Mohr [mailto:boredMDer74 () msn com]
Sent: 15 December 2002 22:53
To: Security Basics
Subject: Anyone know what scanner this is?


 A while ago I decided to set up an anonymous account on my FTP server with
full access (read, write, create, delete, and the same access for
subdirectories) on the dir C:\Trap to see what kind of traffic I'd get.
Nothing much has happened for the past few months, until today, I found some
uploads and downloads under the user 'anonymous'. The logs are following,
and with the timestamps, they
appear to be undeniably priduced by some sort of scanner. The files that
were deleted went into my 'recycle bin', and I deleted them by accident,
thinking they were files I put in there myself.

(001378) 12/15/2002 12:53:26 AM - General (146.115.114.133) > disconnected.
(00:01:15)

(001379) 12/15/2002 1:13:47 AM - (not logged in) (217.226.72.253) >
connected to ip : 192.168.1.2

(001379) 12/15/2002 1:13:47 AM - (not logged in) (217.226.72.253) > sending
welcome message.

(001379) 12/15/2002 1:13:47 AM - (not logged in) (217.226.72.253) > 220 All
connection attempts logged/reported. Anyone attempting to log in will be
reported to their ISP. Access illegal unless prior permission recieved from
owner of FTP server.

(001379) 12/15/2002 1:13:48 AM - (not logged in) (217.226.72.253) > USER
anonymous

(001379) 12/15/2002 1:13:48 AM - (not logged in) (217.226.72.253) > 331
Password required for anonymous.

(001379) 12/15/2002 1:13:48 AM - (not logged in) (217.226.72.253) > PASS
Xgpuser () home com

(001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > logged in.

(001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > 230 User
anonymous logged in.

(001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > CWD /

(001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > asked to
change directory : 'C:\Trap\ -> C:\Trap\' --> Access allowed.

(001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > 250 CWD
command successful. "/" is current directory.

(001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > DELE
/1mbtest.ptf

(001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > 550
'/1mbtest.ptf': no such file or directory.

(001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > TYPE I

(001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > 200 Type set
to I.

(001379) 12/15/2002 1:13:49 AM - anonymous (217.226.72.253) > PORT
217,226,72,253,8,241

(001379) 12/15/2002 1:13:49 AM - anonymous (217.226.72.253) > 200 Port
command successful.

(001379) 12/15/2002 1:13:49 AM - anonymous (217.226.72.253) > STOR
/1mbtest.ptf

(001379) 12/15/2002 1:13:49 AM - anonymous (217.226.72.253) > asked to
upload '\1mbtest.ptf' in 'C:\Trap\' --> Access allowed.

(001379) 12/15/2002 1:13:49 AM - anonymous (217.226.72.253) > 150 Opening
data connection for 1mbtest.ptf.

(001379) 12/15/2002 1:13:49 AM - anonymous (217.226.72.253) > started
uploading '\1mbtest.ptf' in 'C:\Trap\'.

(001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > 226 File
received ok.

(001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > finished
uploading '\1mbtest.ptf' in 'C:\Trap\' - (00:01:03 - 1024.002 KB - 16.254
KBytes/s).

(001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > PORT
217,226,72,253,8,242

(001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > 200 Port
command successful.

(001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > TYPE I

(001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > 200 Type set
to I.

(001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > RETR
/1mbtest.ptf

(001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > asked to
download 'C:\Trap\1mbtest.ptf' --> Access allowed.

(001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > 150 Opening
data connection for 1mbtest.ptf (1048578 bytes).

(001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > started
downloading 'C:\Trap\1mbtest.ptf'.

(001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > finished
downloading 'C:\Trap\1mbtest.ptf' - (00:01:10 - 1024.002 KB - 14.629
KBytes/s)

(001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > 226 Transfer
ok

(001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > TYPE A

(001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > 200 Type set
to A.

(001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > PORT
217,226,72,253,8,244

(001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > 200 Port
command successful.

(001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > LIST -la

(001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > 150 Opening
data connection for directory list.

(001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > 226 Transfer
ok

(001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > DELE
/1mbtest.ptf

(001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > asked to
delete 'C:\Trap\1mbtest.ptf' --> Access allowed.

(001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > 250 File/Dir
'/1mbtest.ptf' deleted.

(001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > TYPE A

(001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > 200 Type set
to A.

(001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > PORT
217,226,72,253,8,245

(001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > 200 Port
command successful.

(001379) 12/15/2002 1:16:04 AM - anonymous (217.226.72.253) > STOR
/space.asp

(001379) 12/15/2002 1:16:04 AM - anonymous (217.226.72.253) > asked to
upload '\space.asp' in 'C:\Trap\' --> Access allowed.

(001379) 12/15/2002 1:16:04 AM - anonymous (217.226.72.253) > 150 Opening
data connection for space.asp.

(001379) 12/15/2002 1:16:04 AM - anonymous (217.226.72.253) > started
uploading '\space.asp' in 'C:\Trap\'.

(001379) 12/15/2002 1:16:04 AM - anonymous (217.226.72.253) > 226 File
received ok.

(001379) 12/15/2002 1:16:04 AM - anonymous (217.226.72.253) > finished
uploading '\space.asp' in 'C:\Trap\' - (00:00:01 - 2.586 KB - 2.586
KBytes/s).

(001379) 12/15/2002 1:16:14 AM - anonymous (217.226.72.253) > DELE
/space.asp

(001379) 12/15/2002 1:16:14 AM - anonymous (217.226.72.253) > asked to
delete 'C:\Trap\space.asp' --> Access allowed.

(001379) 12/15/2002 1:16:15 AM - anonymous (217.226.72.253) > 250 File/Dir
'/space.asp' deleted.

(001379) 12/15/2002 1:16:15 AM - anonymous (217.226.72.253) > disconnected.
(00:02:27)

Pez Mohr
boredMDer74 () msn com
Aspiring BOFH
Current thread:

Anyone know what scanner this is? Pez Mohr (Dec 16)
- Re: Anyone know what scanner this is? Florian Kalb (Dec 16)
- RE: Anyone know what scanner this is? Ian Lyte (Dec 17)
- Re: Anyone know what scanner this is? Steve Cooper (Dec 17)
- Re: Anyone know what scanner this is? Thomas Sjögren (Dec 17)
- <Possible follow-ups>
- Re: Anyone know what scanner this is? Joris De Donder (Dec 17)