Security Incidents mailing list archives

Re: What's the tool?

From: gattaca () HUSHMAIL COM
Date: Tue, 20 Mar 2001 17:36:26 -0600

Just today I encountered this very incident. Mine originated from a university
in Georgia however. Sorry I can't be of more help. Any insight would be
appreciated.

gattaca

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Sean Brown
Sent: Tuesday, March 20, 2001 10:32 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: What's the tool?


Greetings,
I've been seeing a number of, apparently, automated scans for FTP.  When
an FTP site is found, the tool logs on anonymously and attempts to
create a directory in a couple of different places.  If unsuccessful, it
logs off.   The directory it tries to create is named for the date/time
of the probe, i.e. 010320101054p for March 20, 2001, 10:10:54pm.  Below
are some log excerpts showing the probe.  All it appears to be doing is
looking for upload capabilities on anonymous FTP sites (future warez
locations?).  The source locations for the probes hitting me have been
France and Germany.  IP header signatures indicate that the tool may be
Windows based.

Does anyone know what this tool is?

Log Entries:
============
Mar 20 04:37:49 62.226.81.91:3174 -> x.y.z.195:21 SYN ******S*
Mar 20 04:37:49 62.226.81.91:3179 -> x.y.z.200:21 SYN ******S*
<--snip-->

Snort IDS excerpt:
[**] FTP SYN probe [**]
03/20-04:37:46.411833 0:60:1D:20:F7:5F -> 0:50:4:B0:A:74 type:0x800
len:0x42
62.226.81.91:3174 -> x.y.z.195:21 TCP TTL:115 TOS:0x0 ID:580
IpLen:20 DgmLen:52 DF
******S* Seq: 0xD3755505  Ack: 0x0  Win: 0xFF3C  TcpLen: 32
TCP Options (6) => MSS: 536 NOP WS: 2 NOP NOP SackOK

[**] FTP SYN probe [**]
03/20-04:37:46.664004 0:60:1D:20:F7:5F -> 0:50:4:B0:A:74 type:0x800
len:0x42
62.226.81.91:3179 -> x.y.z.200:21 TCP TTL:115 TOS:0x0 ID:591
IpLen:20 DgmLen:52 DF
******S* Seq: 0xD37ABB42  Ack: 0x0  Win: 0xFF3C  TcpLen: 32
TCP Options (6) => MSS: 536 NOP WS: 2 NOP NOP SackOK

Activity log excerpt:
Mar 20 04:37:53 <my_site> ftpd[12992]: ANONYMOUS FTP LOGIN FROM
p3EE2515B.dip.t-dialin.net [62.226.81.91], guest () here com
Mar 20 04:37:55 <my_site> ftpd[12992]: anonymous(guest () here com) of
p3EE2515B.dip.t-dialin.net [62.226.81.91] tried to create directory
/home/ftp/pub/010320101054p
Mar 20 04:37:56 <my_site> ftpd[12992]: anonymous(guest () here com) of
p3EE2515B.dip.t-dialin.net [62.226.81.91] tried to create directory
/home/ftp/010320101055p
Mar 20 04:37:57 <my_site> ftpd[12992]: FTP session closed

Thanks,
Sean
--
~~~~~~~~~~~~~~~
Sean R. Brown - srbrown () appgeo com
System Administrator   Applied Geographics, Inc.   Boston, MA


Free, encrypted, secure Web-based email at www.hushmail.com

Current thread:

What's the tool? Sean Brown (Mar 20)
- Re: What's the tool? Krister (Mar 20)
- Re: What's the tool? H C (Mar 20)
- <Possible follow-ups>
- Re: What's the tool? gattaca (Mar 21)
- Re: What's the tool? Greg Owen (Mar 21)