Security Incidents mailing list archives
Re: What's the tool?
From: gattaca () HUSHMAIL COM
Date: Tue, 20 Mar 2001 17:36:26 -0600
Just today I encountered this very incident. Mine originated from a university in Georgia however. Sorry I can't be of more help. Any insight would be appreciated. gattaca -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Sean Brown Sent: Tuesday, March 20, 2001 10:32 AM To: INCIDENTS () SECURITYFOCUS COM Subject: What's the tool? Greetings, I've been seeing a number of, apparently, automated scans for FTP. When an FTP site is found, the tool logs on anonymously and attempts to create a directory in a couple of different places. If unsuccessful, it logs off. The directory it tries to create is named for the date/time of the probe, i.e. 010320101054p for March 20, 2001, 10:10:54pm. Below are some log excerpts showing the probe. All it appears to be doing is looking for upload capabilities on anonymous FTP sites (future warez locations?). The source locations for the probes hitting me have been France and Germany. IP header signatures indicate that the tool may be Windows based. Does anyone know what this tool is? Log Entries: ============ Mar 20 04:37:49 62.226.81.91:3174 -> x.y.z.195:21 SYN ******S* Mar 20 04:37:49 62.226.81.91:3179 -> x.y.z.200:21 SYN ******S* <--snip--> Snort IDS excerpt: [**] FTP SYN probe [**] 03/20-04:37:46.411833 0:60:1D:20:F7:5F -> 0:50:4:B0:A:74 type:0x800 len:0x42 62.226.81.91:3174 -> x.y.z.195:21 TCP TTL:115 TOS:0x0 ID:580 IpLen:20 DgmLen:52 DF ******S* Seq: 0xD3755505 Ack: 0x0 Win: 0xFF3C TcpLen: 32 TCP Options (6) => MSS: 536 NOP WS: 2 NOP NOP SackOK [**] FTP SYN probe [**] 03/20-04:37:46.664004 0:60:1D:20:F7:5F -> 0:50:4:B0:A:74 type:0x800 len:0x42 62.226.81.91:3179 -> x.y.z.200:21 TCP TTL:115 TOS:0x0 ID:591 IpLen:20 DgmLen:52 DF ******S* Seq: 0xD37ABB42 Ack: 0x0 Win: 0xFF3C TcpLen: 32 TCP Options (6) => MSS: 536 NOP WS: 2 NOP NOP SackOK Activity log excerpt: Mar 20 04:37:53 <my_site> ftpd[12992]: ANONYMOUS FTP LOGIN FROM p3EE2515B.dip.t-dialin.net [62.226.81.91], guest () here com Mar 20 04:37:55 <my_site> ftpd[12992]: anonymous(guest () here com) of p3EE2515B.dip.t-dialin.net [62.226.81.91] tried to create directory /home/ftp/pub/010320101054p Mar 20 04:37:56 <my_site> ftpd[12992]: anonymous(guest () here com) of p3EE2515B.dip.t-dialin.net [62.226.81.91] tried to create directory /home/ftp/010320101055p Mar 20 04:37:57 <my_site> ftpd[12992]: FTP session closed Thanks, Sean -- ~~~~~~~~~~~~~~~ Sean R. Brown - srbrown () appgeo com System Administrator Applied Geographics, Inc. Boston, MA Free, encrypted, secure Web-based email at www.hushmail.com
Current thread:
- What's the tool? Sean Brown (Mar 20)
- Re: What's the tool? Krister (Mar 20)
- Re: What's the tool? H C (Mar 20)
- <Possible follow-ups>
- Re: What's the tool? gattaca (Mar 21)
- Re: What's the tool? Greg Owen (Mar 21)