Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-02-01 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New FTP Brute Force? - German publisher DOSed

Published: 2005-02-01
Last Updated: 2005-02-01 16:40:59 UTC
by Chris Carboni (Version: 1)
0 comment(s)
New FTP Brute Force?


One of our readers (thanks Dan!) told us about some unusual traffic to his FTP server.


I've received some strange traffic on my FTP server in the last few days, or at least this is the first time I've noticed this traffic.



I'm running [OS DELETED], last patched within the week, and I've got my directories locked for outside writing. Evidently some program is attempting to connect to the server and create a directory. I say it's a program because it's polling for a particular set of directories including /wwwroot/ and /wwwhtml/ by using the 'CWD' command. If it receives a response of 'command successful', it then tries to create a directory using the 'MKD' command.



The last series looked for 38 different directories and found /pub/, /usr/, and /. In each of these, it tried to create a directory using 'MKD', but only after a reply of success to the CWD command. The exchange took less than ten seconds to complete.



The two attempts were evidently different sources, at least they had different name resolutions.



The server had permissions locked down to prevent a successful compromise or inappropriate use by anyone using this particular malware. While I have broadband, my router is only forwarding unsolicited traffic designated for port 21 of the server address. Updated patching and port/ip router are the only protections currently employed for this server, and no filtering is being applied at the router. I am monitoring traffic using Ethereal, however.



The attack, looks like this:



USER anonymous

331 Guest login ok, type your name as password.

PASS Zgpuser@home.com

230 Guest login ok, access restrictions apply.

CWD /pub/

250 CWD command successful.

MKD 050131161412p

550 050131161412p: Permission denied.

CWD /public/

550 /public/: No such file or directory.

CWD /pub/incoming/

550 /pub/incoming/: No such file or directory.

CWD /incoming/

550 /incoming/: No such file or directory.

CWD /_vti_pvt/

550 /_vti_pvt/: No such file or directory.

CWD /

250 CWD command successful.

MKD 050131161414p

550 050131161414p: Permission denied.

CWD /upload/

550 /upload/: No such file or directory.

CWD /_vti_txt/

550 /_vti_txt/: No such file or directory.

CWD /_vti_cfg/

550 /_vti_cfg/: No such file or directory.

CWD /_vti_log/

550 /_vti_log/: No such file or directory.

CWD /_vti_cnf/

550 /_vti_cnf/: No such file or directory.

CWD /_private/

550 /_private/: No such file or directory.

CWD /public/incoming/

550 /public/incoming/: No such file or directory.

CWD /public_html/

550 /public_html/: No such file or directory.

CWD /wwwroot/

550 /wwwroot/: No such file or directory.

CWD /mailroot/

550 /mailroot/: No such file or directory.

CWD /ftproot/

550 /ftproot/: No such file or directory.

CWD /home/

550 /home/: No such file or directory.

CWD /images/

550 /images/: No such file or directory.

CWD /web/

550 /web/: No such file or directory.

CWD /www/

550 /www/: No such file or directory.

CWD /html/

550 /html/: No such file or directory.

CWD /cgi-bin/

550 /cgi-bin/: No such file or directory.

CWD /usr/

250 CWD command successful.

MKD 050131161417p

550 050131161417p: Permission denied.

CWD /usr/incoming/

550 /usr/incoming/: No such file or directory.

CWD /temp/

550 /temp/: No such file or directory.

CWD /~temp/

550 ~temp: No such file or directory.

CWD /tmp/

550 /tmp/: No such file or directory.

CWD /~tmp/

550 ~tmp: No such file or directory.

CWD /outgoing/

550 /outgoing/: No such file or directory.

CWD /anonymous/

550 /anonymous/: No such file or directory.

CWD /anonymous/_vti_pvt/

550 /anonymous/_vti_pvt/: No such file or directory.

CWD /anonymous/_vti_cnf/

550 /anonymous/_vti_cnf/: No such file or directory.

CWD /anonymous/incoming/

550 /anonymous/incoming/: No such file or directory.

CWD /anonymous/pub/

550 /anonymous/pub/: No such file or directory.

CWD /anonymous/public/

550 /anonymous/public/: No such file or directory.

CWD / /

550 / /: No such file or directory.

CWD / /

550 / /: No such file or directory.

221 You could at least say goodbye.



A reader from New Zealand dropped us a note and mentioned that this is the work of a known FTP scanner, Grim's ping. Thanks for the note Simon!



A reader from New Zealand dropped us a note and mentioned that this is the work of a known FTP scanner, Grim's ping. Thanks for the note Simon!



German Publisher DOSed?


Thomas writes:

i just read about a big ddos attack in germany. www.heise.de, one of the biggest german online publisher, has gone offline.


When checked, the site seems to be non responsive.


isc dot chris -at- gee mail dot com
Keywords:
0 comment(s)
Diary Archives