|
Security Incidents
mailing list archives
ano () ano com ftpd dip.t-dialin.net
From: Owen McCusker <mccusker () sonalysts com>
Date: Wed, 06 Nov 2002 16:50:13 -0500
I have seen some interesting access on a few anonymous ftp servers
logs.
The following sequence occurs:
1) The user logs on anonymously with the username ano () ano com
2) user transfers a repeating binary file XXX.XXX where the X is a digit
(e.g. 471.995)
the file has a repeating pattern to it.
the file size is: 104154 (bytes)
file name was: 471.995 (maybe a sequencing number for reassembly...)
constents look like: (via text editor)
.3;ØÎg3pBØÇ=´g?Ãä?[o¼gÃò?«�gÝÃA?[��\ÃO?[Ã;g34?[Ãdr3.............
(maybe encrypted text?)
3) The user accesses the file later on.
The users are from dip.t-dial.net, the user RIPE the description
includes:
Deutsche Telekom AG, Internet Service Provider, CeBIT 99
I am not sure what these users are doing. Maybe they are trying
to setup someway to perform "store and forward" services
via anonymous FTP.
Maybe this is somehow related to the same scheme devised
using iroffer ( aka DCC bot).
Has anyone else seen this type of activity from dip.t-dialin.net
or dipsters for short. ;-)?
Owen
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
- ano () ano com ftpd dip.t-dialin.net Owen McCusker (Nov 06)
|
