[NTLUG:Discuss] FTP Server Activity...
JR Newsletters
jrnewsletters at jcrcomputing.com
Thu Jul 25 19:47:10 CDT 2002
FYI,
I found out what this activity is. It is generated from a program
called Grim's Ping. The homepage is:
http://grimsping.cjb.net/
I am downloading the 'tutorial' so I can see what this tool does, and
what is the best defense for it.
From the Website:
*Requirements*
one of the following:
* Windows 95
* Windows 98
* Windows ME
* Windows NT
* Windows 2000
* Windows XP
*Features*
* Scan specified ports, using a proxy if you wish
* Ping 24.4.4.x IP range
* Host lookup
* Perform "Pub Find" on an infinite number of IP ranges
* Log wingate engines found, in addition to FTPs
* Wingate usage to protect privacy
* Built in FTP client
* Log or print scan results
* Check write and delete permissions
* Check OS type and FXP/Resume capabilities
* Record speed
* Modify queue to reflect your scanning processes
* Import queue lists from other popular scanning utilities
* Autosave queue
* Many configurable options
It is a Visual Basic Tool......
They claim it is supposed to be a security tool, but it appears to me
that it is being used for some other dubious things.
I know, probably old news to a lot of you already.
----------------------------------
JR Newsletters wrote:
> Hi,
>
> I'm just wondering if any of you running FTP sites are seeing the type
> of activity that is shown in my FTP logs (paranoid.log from ProFTPD):
>
> lns08a-7-201.w.club-internet.fr UNKNOWN nobody [22/Jul/2002:06:01:47
> -0500] "USER anonymous" 331 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:50
> -0500] "PASS Ngpuser at home.com" 230 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:50
> -0500] "CWD /pub/" 250 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:50
> -0500] "MKD 020722115855p" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:50
> -0500] "CWD /public/incoming/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:51
> -0500] "CWD /incoming/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:51
> -0500] "CWD /pub/incoming/" 250 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:51
> -0500] "MKD 020722115856p" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:51
> -0500] "CWD /upload/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:52
> -0500] "CWD /in/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:52
> -0500] "CWD /" 250 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:52
> -0500] "MKD 020722115857p" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:52
> -0500] "CWD /_vti_pvt/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:53
> -0500] "CWD /_vti_txt/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:53
> -0500] "CWD /_vti_log/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:53
> -0500] "CWD /wwwroot/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:53
> -0500] "CWD /anonymous/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:53
> -0500] "CWD /public/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:54
> -0500] "CWD /outgoing/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:54
> -0500] "CWD /temp/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:54
> -0500] "CWD /tmp/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:54
> -0500] "CWD /anonymous/_vti_pvt/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:55
> -0500] "CWD /anonymous/incoming/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:55
> -0500] "CWD /mailroot/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:55
> -0500] "CWD /ftproot/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:55
> -0500] "CWD /anonymous/pub/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:56
> -0500] "CWD /_vti_cnf/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:56
> -0500] "CWD /images/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:56
> -0500] "CWD /_private/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:56
> -0500] "CWD /cgi-bin/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:57
> -0500] "CWD /cgibin/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:57
> -0500] "CWD /usr/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:57
> -0500] "CWD /usr/incoming/" 550 -
> lns08a-7-201.w.club-internet.fr UNKNOWN ftp [22/Jul/2002:06:01:57
> -0500] "CWD /home/" 550 -
>
> So far I've been seeing this activity from verizon.net, and also from
> some French, Belgium, and German ISP accounts. The interesting thing
> is the anonymous password is always Xgpuser at home.com where the X
> changes to different letters from different accounts. So far, I've
> sent abuse reports to these ISPs whose accounts have been used, but I
> think it is a losing battle. Thank goodness I'm running ProFTPD and
> it has been forbiding these accounts from logging in anonymously when
> added to my deny list, and it has done a very gone job keeping Users
> in only those directories set up for anonymous users, as well as
> preventing them from creating any new directories on the hard disk.
> I've also occasionally fielding bounce attacks which ProFTPD has also
> been preventing (Bounce attacks are people trying to download files
> from other FTP sites via my ftp site).
>
> So, has anybody else seen this type of activity (This sure looks like
> a cracker running a universal script to allocate a hidden warez site)?
> Any other suggestions as to what else I can do to prevent this (other
> than putting these sites in my deny list and contacting the ISPs)?
>
> Thanks.
>
> PS: Yes, I am deliberately running an Anonymous FTP site.
>
>
>
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
More information about the Discuss
mailing list