The packets were logged correctly. This is the signature of Grim's
Ping- a scanning tool that looks for FTP servers with directories that
anonymous users can write to (In other words- new warez sites). The tool
logs in as anonymous and authenticates with Xgpuserhome.com (where X is
any uppercase letter). It tries to find and write to commonly used FTP
directories and reports successes to the attacker..

The author claims its purpose is for "spreading wealth":
___
>>This program was released in hopes that the general public would get
>>hooked on scanning public sites and would help "spread the wealth."
___

The tool's homepage is http://grimsping.cjb.net/

/Dan Hawrylkiw
CISSP, GCIA, RHCE
Phoenix Area Network Intrusion Research Alliance

_____________________________________________________________
Bill McCarty wrote:

> Today, I noticed an FTP attack among my Snort alerts. I see such attacks
> every day or two and follow them up diligently. The only hosts on my
> network that run FTP are honeypots, so such attacks are never false
> positives. When I investigated, I found one rather odd packet.
>
> Here's a tcpshow dump of the packet:
>
>> Packet 110
>> TIME: 06:35:00.865192
>> IP: 62.254.50.140 -> xxx.xxx.xxx.xxx hlen=20 TOS=10 dgramlen=159
>
> id=0000
>
>> MF/DF=0/0 frag=0 TTL=240 proto=TCP cksum=0000
>> TCP: port 2929 -> 21 seq=2905996287 ack=1728071789
>> hlen=20 (data=119) UAPRSF=011000 wnd=5840 cksum=0000 urg=0
>> DATA: QUIT.
>> xxx-xxxxxxPASS Dgpuserhome.com.
>> CWD /pub/.
>> MKD 020407143116p.
>> CWD /public/.
>> CWD /pub/incoming/.
>> CWD /incoming/.
>
>
> The packet has several unusual features. Prominent among them are the
> presence of the string xxx-xxxxxx, which I've obfuscated. The actual
> value of the string is the name of a sensitive host within my internal
> network. Since no externally visible DNS server knows the name of this
> host, the presence of this string concerns me.
>
> But, I begin to suspect that the packet has not been correctly logged.
> For one thing, as I recall, the QUIT command should mark the end of an
> FTP session. And, I don't recall that the syntax of the FTP PASS command
> allows a host name in front of the PASS keyword. Also, I notice that the
> packet ID and checksum are both 0.
>
> Q: Has anyone experienced badly logged packets? Or, is it more likely
> that the packet was correctly logged, despite possible evidence to the
> contrary?
>
> Thanks!
>
> ---------------------------------------------------
> Bill McCarty
>
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]