Security Basics mailing list archives
Re: Anyone know what scanner this is?
From: Steve Cooper <tycho () nuclear-monkeys co uk>
Date: 16 Dec 2002 19:44:29 +0000
Thats someone scanning for pubs, public ftp servers to host warez on, I think there's a program called Grims Ping that does this automaticly. Note the file "1mbtest.ptf" this is a 1MB test file to find out the upload and download speed and also to test the folder permissions. Space.asp does exactly what it sounds like, it finds the amount of free space you have to host files. The attacker will have logged your IP and will no doubt be back to manually check your site, at which point they will start creating hidden directories for example: /<space>/.Warez<space>/com1/Doom3/ Putting the space in helps hide it from casual browsing and windows does not let you enter directories like com1, com2, and such while the . (period) is a hidden file in *nix systems. Check out the following link for some good background info: http://eyeonsecurity.org/papers/pubscanning.pdf Hope this helps Steve On Sun, 2002-12-15 at 22:52, Pez Mohr wrote:
A while ago I decided to set up an anonymous account on my FTP server with full access (read, write, create, delete, and the same access for subdirectories) on the dir C:\Trap to see what kind of traffic I'd get. Nothing much has happened for the past few months, until today, I found some uploads and downloads under the user 'anonymous'. The logs are following, and with the timestamps, they appear to be undeniably priduced by some sort of scanner. The files that were deleted went into my 'recycle bin', and I deleted them by accident, thinking they were files I put in there myself. (001378) 12/15/2002 12:53:26 AM - General (146.115.114.133) > disconnected. (00:01:15) (001379) 12/15/2002 1:13:47 AM - (not logged in) (217.226.72.253) > connected to ip : 192.168.1.2 (001379) 12/15/2002 1:13:47 AM - (not logged in) (217.226.72.253) > sending welcome message. (001379) 12/15/2002 1:13:47 AM - (not logged in) (217.226.72.253) > 220 All connection attempts logged/reported. Anyone attempting to log in will be reported to their ISP. Access illegal unless prior permission recieved from owner of FTP server. (001379) 12/15/2002 1:13:48 AM - (not logged in) (217.226.72.253) > USER anonymous (001379) 12/15/2002 1:13:48 AM - (not logged in) (217.226.72.253) > 331 Password required for anonymous. (001379) 12/15/2002 1:13:48 AM - (not logged in) (217.226.72.253) > PASS Xgpuser () home com (001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > logged in. (001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > 230 User anonymous logged in. (001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > CWD / (001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > asked to change directory : 'C:\Trap\ -> C:\Trap\' --> Access allowed. (001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > 250 CWD command successful. "/" is current directory. (001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > DELE /1mbtest.ptf (001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > 550 '/1mbtest.ptf': no such file or directory. (001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > TYPE I (001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > 200 Type set to I. (001379) 12/15/2002 1:13:49 AM - anonymous (217.226.72.253) > PORT 217,226,72,253,8,241 (001379) 12/15/2002 1:13:49 AM - anonymous (217.226.72.253) > 200 Port command successful. (001379) 12/15/2002 1:13:49 AM - anonymous (217.226.72.253) > STOR /1mbtest.ptf (001379) 12/15/2002 1:13:49 AM - anonymous (217.226.72.253) > asked to upload '\1mbtest.ptf' in 'C:\Trap\' --> Access allowed. (001379) 12/15/2002 1:13:49 AM - anonymous (217.226.72.253) > 150 Opening data connection for 1mbtest.ptf. (001379) 12/15/2002 1:13:49 AM - anonymous (217.226.72.253) > started uploading '\1mbtest.ptf' in 'C:\Trap\'. (001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > 226 File received ok. (001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > finished uploading '\1mbtest.ptf' in 'C:\Trap\' - (00:01:03 - 1024.002 KB - 16.254 KBytes/s). (001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > PORT 217,226,72,253,8,242 (001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > 200 Port command successful. (001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > TYPE I (001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > 200 Type set to I. (001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > RETR /1mbtest.ptf (001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > asked to download 'C:\Trap\1mbtest.ptf' --> Access allowed. (001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > 150 Opening data connection for 1mbtest.ptf (1048578 bytes). (001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > started downloading 'C:\Trap\1mbtest.ptf'. (001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > finished downloading 'C:\Trap\1mbtest.ptf' - (00:01:10 - 1024.002 KB - 14.629 KBytes/s) (001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > 226 Transfer ok (001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > TYPE A (001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > 200 Type set to A. (001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > PORT 217,226,72,253,8,244 (001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > 200 Port command successful. (001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > LIST -la (001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > 150 Opening data connection for directory list. (001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > 226 Transfer ok (001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > DELE /1mbtest.ptf (001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > asked to delete 'C:\Trap\1mbtest.ptf' --> Access allowed. (001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > 250 File/Dir '/1mbtest.ptf' deleted. (001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > TYPE A (001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > 200 Type set to A. (001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > PORT 217,226,72,253,8,245 (001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > 200 Port command successful. (001379) 12/15/2002 1:16:04 AM - anonymous (217.226.72.253) > STOR /space.asp (001379) 12/15/2002 1:16:04 AM - anonymous (217.226.72.253) > asked to upload '\space.asp' in 'C:\Trap\' --> Access allowed. (001379) 12/15/2002 1:16:04 AM - anonymous (217.226.72.253) > 150 Opening data connection for space.asp. (001379) 12/15/2002 1:16:04 AM - anonymous (217.226.72.253) > started uploading '\space.asp' in 'C:\Trap\'. (001379) 12/15/2002 1:16:04 AM - anonymous (217.226.72.253) > 226 File received ok. (001379) 12/15/2002 1:16:04 AM - anonymous (217.226.72.253) > finished uploading '\space.asp' in 'C:\Trap\' - (00:00:01 - 2.586 KB - 2.586 KBytes/s). (001379) 12/15/2002 1:16:14 AM - anonymous (217.226.72.253) > DELE /space.asp (001379) 12/15/2002 1:16:14 AM - anonymous (217.226.72.253) > asked to delete 'C:\Trap\space.asp' --> Access allowed. (001379) 12/15/2002 1:16:15 AM - anonymous (217.226.72.253) > 250 File/Dir '/space.asp' deleted. (001379) 12/15/2002 1:16:15 AM - anonymous (217.226.72.253) > disconnected. (00:02:27) Pez Mohr boredMDer74 () msn com Aspiring BOFH
Current thread:
- Anyone know what scanner this is? Pez Mohr (Dec 16)
- Re: Anyone know what scanner this is? Florian Kalb (Dec 16)
- RE: Anyone know what scanner this is? Ian Lyte (Dec 17)
- Re: Anyone know what scanner this is? Steve Cooper (Dec 17)
- Re: Anyone know what scanner this is? Thomas Sjögren (Dec 17)
- <Possible follow-ups>
- Re: Anyone know what scanner this is? Joris De Donder (Dec 17)