Wednesday, May 30, 2001, 2:18:03 PM, you wrote:
IJ> I found the same attempt was made on some of our systems. I first noticed a
IJ> scan
IJ> in our firewall logs last Tuesday or Wednesday (5/22-5/23). After ftp
IJ> service was detected, a login attempt was made by anonymous with password
IJ> guesthere.com. We have no need for anonymous login and our servers are
IJ> patched up to the latest security patch, so I didn't worry, just made note.
IJ> I just assumed it was someone looking for anonymous ftp servers. However,
IJ> given your information below, I beginning to suspect that it may be
IJ> something more malicious. Perhaps it is just a program looking for anonymous
IJ> ftp, but why try and created an *.asp file? Anyone else have some input?

They are looking for anonymous ftp servers they can use to store their
warez. Basically they just scan a range with a tool like 'grimsping'
(http://grimsping.cjb.net), upload a 1kb or 1Mb file to check the
speed on your server and use 'space.asp' to see how much free space is
left.

sincerely
Joris De Donder

http://www.Security-Downloads.Com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]