# # SCAN OF THE MONTH #7: 6 November # # Contest to see who can determine which tool # was used and the purpose of this scan. Packet # decodes using snort (http://www.snort.org). # # The packets were captured from the wild as part # of the Honeynet Project. QUESTION -------- 1. What can we tell about the purpose of these ftp probes? 20 ftp.example.edu FTP server (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000) ready. USER anonymous 331 Guest login ok, send your complete e-mail address as password. PASS guest@here.com 230 Guest login ok, access restrictions apply. CWD /pub/ 250 CWD command successful. MKD .100727114826p 550 .100727114826p: Permission denied on server. (Upload dirs) CWD /public/ 550 /public/: No such file or directory. CWD /pub/incoming/ 550 /pub/incoming/: No such file or directory. CWD /incoming/ 550 /incoming/: No such file or directory. CWD /_vti_pvt/ 550 /_vti_pvt/: No such file or directory. CWD / 250 CWD command successful. MKD .100727114827p 550 .100727114827p: Permission denied on server. (Upload dirs) CWD /upload/ 550 /upload/: No such file or directory. 221 You could at least say goodbye. ANSWER ------ That is a probe for various anonymous ftp weaknesses, including Front Page. Here's one script that shows what they would typically try to get out of it: http://packetstorm.securify.com/UNIX/scanners/frontpage.pl A quick search on Netscape's site shows tons of systems with these directories indexed. From: Vitaly McLain Subject: Scan of the month >> 20 ftp.example.edu FTP server (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000) ready. An obviously vulnurable WU-FTPd daemon (which I assume is a honeypot). One thing to note: the exploit relies on the ability to execute SITE EXEC, nothing else... >> USER anonymous >> 331 Guest login ok, send your complete e-mail address as password. >> PASS guest@here.com >> 230 Guest login ok, access restrictions apply. Anonymous login... This is interesting. I don't think it's an individual, but rather an automated tool doing the scans. I also do not think it is designed to check for vulnurable WU-FTPd's 2.6.0, because (as stated above), the attacker does not need upload permission. Why is it looking for permission to upload? Well, my guess is that it could be looking for an older hole in Wu-FTPd, one that require the attacker to create a overly long file-name. Or it could be just looking for upload directories, because they can sometimes be an avenue of attack (ie the Apache.Org hack). One thing that was weird is that it's looking for /_vti_pvt/, which is commonly associated with Windows/IIS (yeah, I know FP extensions can be used in UN*X as well). From: Brian Reilly Subject: Scan of the month (November) The attacker appears to be searching for various FTP misconfigurations and holes available via anonymous FTP. The first series of MKD commands may be an attempt to create "hidden" Unix directories to store large files, copyrighted material, etc. on a remote server. Also, if the attacker is able to create directories, it may be possible to exploit an (older) wu-ftpd vulnerability to gain root access through a series of MKD and CWD commands (CVE-1999-0950); the logs show the attacker is targeting /pub, /pub/incoming, /incoming, /public, and /uploads -- all of these directories are sometimes world-writable. The attacker is also looking for the Microsoft FrontPage password file in the /vti_pvt directory. A successful attempt of this probe could also indicate that the webserver root is accessible via anonymous FTP -- which is never a good idea. From: Mikael Olsson Subject: Re: Scan of the month > On Tue, 7 Nov 2000, Mikael Olsson wrote: > > > Google is my friend... They were using Grim's Ping, > > with the "PubFinder" settings untouched. > > Do you have a link? Sure thing, http://grimsping.cjb.net/ It even looks like a commercial site?!