At 6/5/2002 01:40 AM, Iain Craig wrote:
>Was wondering if anyone is aware of an IIS FTP server exploit that allows
>an attacker the read/write access of a single given legimate user's
>folders and also zeroes the log file?
<snip>
>There was a LOT of those, all very fast like a DoS attempt. Other
>usernames I was seeing in a similar DoS fashion from the same time and IP
>were Ogpuser_at_home.com, Kgpuser_at_home.com, and Lgpuser_at_home.com
>
>Anyone know of a kiddie tool that uses these names?
According to this message
(http://archives.neohapsis.com/archives/snort/2002-04/0447.html):
"This is the signature of Grim's
Ping- a scanning tool that looks for FTP servers with directories that
anonymous users can write to (In other words- new warez sites). The tool
logs in as anonymous and authenticates with Xgpuser_at_home.com (where X is
any uppercase letter). It tries to find and write to commonly used FTP
directories and reports successes to the attacker.."
The tool can be downloaded from http://grimsping.cjb.net/.
Michael Katz
mike_at_procinct.com
Procinct Security
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Received on Jun 05 2002
Intro
