lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <fc438b46be6747126f55e04e8ff8de624006f838@watchguard.com>
From: perrieror1 at mail.montclair.edu (Robert Perriero)
Subject: ftp worm ?

I would be willing to bet that this is a modified "pub scanner". Similar 
to the apache exploit posted, it appears as if it attempts to connect to 
machines using known user accounts and passwords. It probably isn't a 
worm, but rather someone behind a keyboard attempting to find a place to 
store warez.
-Bob

Mike Tancsa wrote:

>
> I have been noticing a flood of ftp attempts to various servers on our 
> network recently.  Its typically from some dialup / dynamic IP and it 
> tries to ftp in to one of my machines as fast as it can with as many 
> connections as possible using a fixed ranges of usernames
>
> e.g. in a 2hr period,
>
>  grep "FTP LOGIN FAILED" /var/log/authentic | awk '{print $11}' | sort 
> | uniq -c | sort -nr
>  293 manager
>  290 public
>  289 private
>  286 default
>  262 security
>  237 1234qwer
>  218 123qwe
>  214 user
>  213 super
>  209 123456
>  197 000000
>  192 Internet
>  156 abcd
>  143 abc123
>  115 abc
>  106 1234567
>  104 123abc
>  102 88888888
>   95 password
>   93 asdfgh
>   88 computer
>   84 5201314
>   83 00000000
>   79 !@...^&*()
>   77 654321
>   76 888888
>   73 123asd
>   71 11111
>   71 !@...^&*
>   68 passwd
>   64 !@...^&*(
>   61 111111
>   58 asdf
>   57 sql
>   57 database
>   51 111
>   49 !@#$%
>   45 pass
>   45 !@#$
>   43 54321
>   42 server
>   42 !@...^
>   35 sybase
>   34 oracle
>   34 12345678
>   34 1
>   31 secret
>   27 test
>   27 11111111
>   18 admin
>   15 anyone
>   10 !@...^&
>
>
> This looks a lot like http://www.f-secure.com/v-descs/muma.shtml but I 
> have not been able to find a description/variant that uses ftp.  Is 
> this a new version of muma ? Or just some worm / virus that uses the 
> same list of users.
> --------------------------------------------------------------------
> Mike Tancsa,                                        tel +1 519 651 3400
> Sentex Communications,                   mike@...tex.net
> Providing Internet since 1994                    www.sentex.net
> Cambridge, Ontario Canada              www.sentex.net/mike
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ