[Dshield] Top 10 honoree with a fondness for FTP (warez anyo ne?)

Ken McKinlay ken.mckinlay at dy4.com
Fri Oct 19 20:34:33 GMT 2001


The tool used appears to be Grim's Ping (http://grimsping.cjb.net/). I just
tested out v1.7.3 and it has that user signature. Also, it may attempt to
create files with the name format of yymmddHHMMSS[a|p]. This is basically
the time of the host performing the scan.

In previous versions, this tool used anonymous/guest at here.com but I think
too many FTP administrators clued in and explicitly blocked that pairing. So
now the program uses the @home.com domain since who would block a major ISP
like @Home?

Ken McKinlay, GCIA
Network Security
Dy 4 Systems
613-599-9199 x506 
ken.mckinlay at dy4.com



> -----Original Message-----
> From: drs. P.B. IJdens [mailto:p.b.ijdens at nospam.mi4.org.uk]
> Sent: Friday, October 19, 2001 12:00
> To: dshield at dshield.org
> Subject: Re: [Dshield] Top 10 honoree with a fondness for FTP (warez
> anyone?)
> 
> 
> "Tom Laermans" wrote:
> > T-Dialin users come in regularly too, but not as much as 
> that Wanadoo
> > user(s)...
> 
> Different here. We run a block of 10 ftp servers, and 
> automatically filter
> out suspicious connects.
> 
> What I noticed is that t-online.de is by far our most 
> frequent 'visitor'...
> I attached a small html document with recent suspicious activity.
> 
> Top 5:
>   1: t-dialin.net          (302 attempts, 30 hosts)
>   2: unresolved            (280 attempts)
>   3: wanadoo.fr            (40 attempts, from 10 hosts)
>   4: aol.com               (30 attempts, from 3 hosts)
>   5: telia.com             (20 attempts from 1 host)
> 
> Mostly these people try to login as anonymous at microsoft.com,
> anonymous at home,com, [Q-Z]gpuser at home.com, etc. Usually 
> creativity of these
> scanning programs goes as far as logging in, noticing a 
> stable version of
> the server and logging out. Some try more (like the regexp stuff).
> 
> I am considering dropping the server ID at connect just to 
> see what the hell
> people are thinking off when they check us out :)
> 
> If anyone knows that the [Q-Z]gpuser at home.com thing is about 
> (by far the
> most popular) let me know.
> 
> Below a random log entry (found this on all ten servers)
> 217.8.145.170 [217.8.145.170] UNKNOWN nobody
>     [15/Oct/2001:14:59:27 +0200] "USER ftp" 331 -
>     [15/Oct/2001:14:59:27 +0200] "PASS mozilla@" 230 -
>     [15/Oct/2001:14:59:28 +0200] "SITE EXEC %020d|%.f%.f|" 500 -
> 
> 
> 




More information about the list mailing list