OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mark Villanova (markreadylinkhealthcare.net)
Date: Mon Aug 20 2001 - 14:28:00 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Looks like pubfind. This is an automated tool for scanning for "Pubs",
    It is windows based and quite effective at finding sites that allow
    anonymous write access. Some versions of it will automatically create a
    hard to find directory for warez storage and notify the person running
    the scan.

    -----Original Message-----
    From: Emil Popov [mailto:emods.primasoft.bg]
    Sent: Monday, August 20, 2001 3:33 AM
    To: incidentssecurityfocus.com
    Subject: annoying ftp probes

    Hi,

    I have been getting some annoying connections to my ftpd like:

    Aug 20 07:58:28 ds ftpd[7527]: connection from
    cc821361-d.vron1.nj.home.com
    Aug 20 07:58:29 ds ftpd[7527]: ANONYMOUS FTP LOGIN FROM
    cc821361-d.vron1.nj.home.com, guesthere.com
    Aug 20 07:58:30 ds ftpd[7527]: mkdir 010820012936p
    Aug 19 06:37:34 ds ftpd[20081]: connection from ip-90-202.evc.net
    Aug 19 06:37:35 ds ftpd[20081]: ANONYMOUS FTP LOGIN FROM
    ip-90-202.evc.net, guesthere.com
    Aug 19 06:37:36 ds ftpd[20081]: mkdir 010819061100p

    they are comming from various ISP's at random time intervals.
    I seems that this is some scanner that searches for world-writable
    ftp sites, and since those requests have been comming from *almost*
    random hosts, i am only able to cumulatively add whole isp domains
    to my hosts.deny. I added a responce line i.e. an instant nmap to those
    guys,
    and up to now my nmap resulted in scanning either the firewall of the
    isp,
    or a windows machine ( win :), they may soon get an automated dos if
    they keep on :)) ).

    So i presume it's i win tool.

    Any Idea what the tool is?
    Any Idea of a better defence (not that my site is world-writable but
    anyway..)

    Thanks

    p.s. There is very famous WarezFTP site in Bulgaria, and i see them
    getting those same (in format)
    directories created, so it really seems like a scanner that just goes
    aroung mkdir'ing.

    p.s.s Sorry for mentioning the un-masked hostnames, but i believe they
    deserve that.

    Emil Popov
    Primasoft Ltd.
    emods.primasoft.bg

    ------------------------------------------------------------------------ 

    ----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com