Re: Anyone know what scanner this is?

[Steve Cooper <tycho () nuclear-monkeys co uk>]

Thats someone scanning for pubs, public ftp servers to host warez on, I
think there's a program called Grims Ping that does this automaticly.
Note the file "1mbtest.ptf" this is a 1MB test file to find out the
upload and download speed and also to test the folder permissions.
Space.asp does exactly what it sounds like, it finds the amount of free
space you have to host files.

The attacker will have logged your IP and will no doubt be back to
manually check your site, at which point they will start creating hidden
directories for example: 
/<space>/.Warez<space>/com1/Doom3/
Putting the space in helps hide it from casual browsing and windows does
not let you enter directories like com1, com2, and such while the .
(period) is a hidden file in *nix systems.

Check out the following link for some good background info:
http://eyeonsecurity.org/papers/pubscanning.pdf

Hope this helps
Steve

On Sun, 2002-12-15 at 22:52, Pez Mohr wrote:
>  A while ago I decided to set up an anonymous account on my FTP server with
> full access (read, write, create, delete, and the same access for
> subdirectories) on the dir C:\Trap to see what kind of traffic I'd get.
> Nothing much has happened for the past few months, until today, I found some
> uploads and downloads under the user 'anonymous'. The logs are following,
> and with the timestamps, they
> appear to be undeniably priduced by some sort of scanner. The files that
> were deleted went into my 'recycle bin', and I deleted them by accident,
> thinking they were files I put in there myself.
>
> (001378) 12/15/2002 12:53:26 AM - General (146.115.114.133) > disconnected.
> (00:01:15)
>
> (001379) 12/15/2002 1:13:47 AM - (not logged in) (217.226.72.253) >
> connected to ip : 192.168.1.2
>
> (001379) 12/15/2002 1:13:47 AM - (not logged in) (217.226.72.253) > sending
> welcome message.
>
> (001379) 12/15/2002 1:13:47 AM - (not logged in) (217.226.72.253) > 220 All
> connection attempts logged/reported. Anyone attempting to log in will be
> reported to their ISP. Access illegal unless prior permission recieved from
> owner of FTP server.
>
> (001379) 12/15/2002 1:13:48 AM - (not logged in) (217.226.72.253) > USER
> anonymous
>
> (001379) 12/15/2002 1:13:48 AM - (not logged in) (217.226.72.253) > 331
> Password required for anonymous.
>
> (001379) 12/15/2002 1:13:48 AM - (not logged in) (217.226.72.253) > PASS
> Xgpuser () home com
>
> (001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > logged in.
>
> (001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > 230 User
> anonymous logged in.
>
> (001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > CWD /
>
> (001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > asked to
> change directory : 'C:\Trap\ -> C:\Trap\' --> Access allowed.
>
> (001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > 250 CWD
> command successful. "/" is current directory.
>
> (001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > DELE
> /1mbtest.ptf
>
> (001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > 550
> '/1mbtest.ptf': no such file or directory.
>
> (001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > TYPE I
>
> (001379) 12/15/2002 1:13:48 AM - anonymous (217.226.72.253) > 200 Type set
> to I.
>
> (001379) 12/15/2002 1:13:49 AM - anonymous (217.226.72.253) > PORT
> 217,226,72,253,8,241
>
> (001379) 12/15/2002 1:13:49 AM - anonymous (217.226.72.253) > 200 Port
> command successful.
>
> (001379) 12/15/2002 1:13:49 AM - anonymous (217.226.72.253) > STOR
> /1mbtest.ptf
>
> (001379) 12/15/2002 1:13:49 AM - anonymous (217.226.72.253) > asked to
> upload '\1mbtest.ptf' in 'C:\Trap\' --> Access allowed.
>
> (001379) 12/15/2002 1:13:49 AM - anonymous (217.226.72.253) > 150 Opening
> data connection for 1mbtest.ptf.
>
> (001379) 12/15/2002 1:13:49 AM - anonymous (217.226.72.253) > started
> uploading '\1mbtest.ptf' in 'C:\Trap\'.
>
> (001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > 226 File
> received ok.
>
> (001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > finished
> uploading '\1mbtest.ptf' in 'C:\Trap\' - (00:01:03 - 1024.002 KB - 16.254
> KBytes/s).
>
> (001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > PORT
> 217,226,72,253,8,242
>
> (001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > 200 Port
> command successful.
>
> (001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > TYPE I
>
> (001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > 200 Type set
> to I.
>
> (001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > RETR
> /1mbtest.ptf
>
> (001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > asked to
> download 'C:\Trap\1mbtest.ptf' --> Access allowed.
>
> (001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > 150 Opening
> data connection for 1mbtest.ptf (1048578 bytes).
>
> (001379) 12/15/2002 1:14:52 AM - anonymous (217.226.72.253) > started
> downloading 'C:\Trap\1mbtest.ptf'.
>
> (001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > finished
> downloading 'C:\Trap\1mbtest.ptf' - (00:01:10 - 1024.002 KB - 14.629
> KBytes/s)
>
> (001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > 226 Transfer
> ok
>
> (001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > TYPE A
>
> (001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > 200 Type set
> to A.
>
> (001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > PORT
> 217,226,72,253,8,244
>
> (001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > 200 Port
> command successful.
>
> (001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > LIST -la
>
> (001379) 12/15/2002 1:16:02 AM - anonymous (217.226.72.253) > 150 Opening
> data connection for directory list.
>
> (001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > 226 Transfer
> ok
>
> (001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > DELE
> /1mbtest.ptf
>
> (001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > asked to
> delete 'C:\Trap\1mbtest.ptf' --> Access allowed.
>
> (001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > 250 File/Dir
> '/1mbtest.ptf' deleted.
>
> (001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > TYPE A
>
> (001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > 200 Type set
> to A.
>
> (001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > PORT
> 217,226,72,253,8,245
>
> (001379) 12/15/2002 1:16:03 AM - anonymous (217.226.72.253) > 200 Port
> command successful.
>
> (001379) 12/15/2002 1:16:04 AM - anonymous (217.226.72.253) > STOR
> /space.asp
>
> (001379) 12/15/2002 1:16:04 AM - anonymous (217.226.72.253) > asked to
> upload '\space.asp' in 'C:\Trap\' --> Access allowed.
>
> (001379) 12/15/2002 1:16:04 AM - anonymous (217.226.72.253) > 150 Opening
> data connection for space.asp.
>
> (001379) 12/15/2002 1:16:04 AM - anonymous (217.226.72.253) > started
> uploading '\space.asp' in 'C:\Trap\'.
>
> (001379) 12/15/2002 1:16:04 AM - anonymous (217.226.72.253) > 226 File
> received ok.
>
> (001379) 12/15/2002 1:16:04 AM - anonymous (217.226.72.253) > finished
> uploading '\space.asp' in 'C:\Trap\' - (00:00:01 - 2.586 KB - 2.586
> KBytes/s).
>
> (001379) 12/15/2002 1:16:14 AM - anonymous (217.226.72.253) > DELE
> /space.asp
>
> (001379) 12/15/2002 1:16:14 AM - anonymous (217.226.72.253) > asked to
> delete 'C:\Trap\space.asp' --> Access allowed.
>
> (001379) 12/15/2002 1:16:15 AM - anonymous (217.226.72.253) > 250 File/Dir
> '/space.asp' deleted.
>
> (001379) 12/15/2002 1:16:15 AM - anonymous (217.226.72.253) > disconnected.
> (00:02:27)
>
> Pez Mohr
> boredMDer74 () msn com
> Aspiring BOFH