I know FrontPage creates a "_vti_pvt" directory to store syncronization
information, so they may also be using FP to "automate" the discovery of
anonymous FTP sites (a simple thing to do now that FP2000 include Visual
Basic capabilities).

I would also suggest ensuring that FrontPage extensions are NOT installed as
part of the IIS configuration since these are known to have several security
holes.

Gord Taylor

-----Original Message-----
From: Rick Denn [mailto:pcparahotmail.com]
Sent: Wednesday, May 30, 2001 11:55 AM
To: Ingersoll, Jared; FOCUS-MSSECURITYFOCUS.COM
Subject: Re: Identify Method

Jared,
    Looks like some warez dood's tried to tag you as a ftp dump sight. The
asp and ptf files shown in Jeff's post are use by the Tagging program for a
speed test.

You can get more info on one of the programs here http://grimsping.cjb.net/

Rick Denn

----- Original Message -----
From: "Ingersoll, Jared" <JIngersollcswv.com>
To: "'CL: Nelson, Jeff'" <JNelsoncmccontrols.com>;
<FOCUS-MSSECURITYFOCUS.COM>
Cc: <incidentssecurityfocus.com>
Sent: Wednesday, May 30, 2001 5:18 AM
Subject: RE: Identify Method

> Jeff,
>
> I found the same attempt was made on some of our systems. I first noticed
a
> scan
> in our firewall logs last Tuesday or Wednesday (5/22-5/23). After ftp
> service was detected, a login attempt was made by anonymous with password
> guesthere.com. We have no need for anonymous login and our servers are
> patched up to the latest security patch, so I didn't worry, just made
note.
> I just assumed it was someone looking for anonymous ftp servers. However,
> given your information below, I beginning to suspect that it may be
> something more malicious. Perhaps it is just a program looking for
anonymous
> ftp, but why try and created an *.asp file? Anyone else have some input?
>
> Jared
> -----Original Message-----
> From: CL: Nelson, Jeff [mailto:JNelsoncmccontrols.com]
> Sent: Tuesday, May 29, 2001 10:28 AM
> To: 'FOCUS-MSSECURITYFOCUS.COM'
> Subject: Identify Method
>
>
> Good day,
>
> Time to admit complete ignorance here. Some person created several
> directories in _vti_pvt. I've tried to replicate what I have in my IIS
logs
> to no avail. Here is what I see:
>
> USER anonymous 331
> PASS anonymouson.the.net 230
> MKD /_vti_pvt/+.+tagged+4+SWAA 257
> QUIT - 257
>
> Then another 14 minutes later:
>
> USER anonymous 331
> PASS guesthere.com 230
> created /1kbtest.ptf 250
> DELE /1kbtest 250
> created /space.asp 226
> DELE /space.asp 250
>
> First, what is going on? How were they able to do this? When I try I get
an
> error stating path cannot be found.
>
> Second, (and I think I've asked this before) is there a resource that goes
> in-depth to what is taking place? Most of the material I have is for Unix
> systems, not IIS.
>
> Regards,
>
> Jeff
>
> Jeffrey L. Nelson
> Network Manager; Cleveland Motion Controls
> jnelsoncmccontrols.com; 216-642-5147
> ----
> "The musical notes are only five in number but their melodies, are so
> numerous that one cannot visualize them all." -- Sun Tzu
>

------------------------------------------------------------------------------------------------------------------------------------------
This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.

Ce courriel est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) est interdite. Si vous recevez ce courriel par erreur, veuillez m'en aviser immédiatement, par retour de courriel ou par un autre moyen.

==============================================================================

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]