|
Security Incidents
mailing list archives
Re: ano () ano com ftpd dip.t-dialin.net
From: Skip Carter <skip () taygeta com>
Date: Wed, 06 Nov 2002 18:19:03 -0800
I have seen some interesting access on a few anonymous ftp servers
logs.
The following sequence occurs:
1) The user logs on anonymously with the username ano () ano com
2) user transfers a repeating binary file XXX.XXX where the X is a digit
(e.g. 471.995)
the file has a repeating pattern to it.
the file size is: 104154 (bytes)
file name was: 471.995 (maybe a sequencing number for reassembly...)
I have been seeing the same thing since August.
A couple of additional interesting facts:
-- they sometimes leave 2 or 3 files with different names
-- the name format is sometimes X.XX, XX.XX, XX.XXX
(and other permutations)
-- the md5sum is ALWAYS 9a5c9475663ad6dcf53f42446972a7b1
so its the same file with different names.
(except one time where the file size was 250000 bytes
and the md5sum was a155cf69d10d449bc1f2933330f9c5a5).
-- there are other origins besides t-dialin.net:
cox.net
rr.com
wanadoo.fr
qdsl-home.de
ipt.aol.com
(but the user always uses ano () ano com )
Skip
--
Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647
Taygeta Scientific Inc. INTERNET: skip () taygeta com
1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com
Monterey, CA. 93940
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
|
Intro
