[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <fc438b46be6747126f55e04e8ff8de624006f838@watchguard.com>
From: perrieror1 at mail.montclair.edu (Robert Perriero)
Subject: ftp worm ?
I would be willing to bet that this is a modified "pub scanner". Similar
to the apache exploit posted, it appears as if it attempts to connect to
machines using known user accounts and passwords. It probably isn't a
worm, but rather someone behind a keyboard attempting to find a place to
store warez.
-Bob
Mike Tancsa wrote:
>
> I have been noticing a flood of ftp attempts to various servers on our
> network recently. Its typically from some dialup / dynamic IP and it
> tries to ftp in to one of my machines as fast as it can with as many
> connections as possible using a fixed ranges of usernames
>
> e.g. in a 2hr period,
>
> grep "FTP LOGIN FAILED" /var/log/authentic | awk '{print $11}' | sort
> | uniq -c | sort -nr
> 293 manager
> 290 public
> 289 private
> 286 default
> 262 security
> 237 1234qwer
> 218 123qwe
> 214 user
> 213 super
> 209 123456
> 197 000000
> 192 Internet
> 156 abcd
> 143 abc123
> 115 abc
> 106 1234567
> 104 123abc
> 102 88888888
> 95 password
> 93 asdfgh
> 88 computer
> 84 5201314
> 83 00000000
> 79 !@...^&*()
> 77 654321
> 76 888888
> 73 123asd
> 71 11111
> 71 !@...^&*
> 68 passwd
> 64 !@...^&*(
> 61 111111
> 58 asdf
> 57 sql
> 57 database
> 51 111
> 49 !@#$%
> 45 pass
> 45 !@#$
> 43 54321
> 42 server
> 42 !@...^
> 35 sybase
> 34 oracle
> 34 12345678
> 34 1
> 31 secret
> 27 test
> 27 11111111
> 18 admin
> 15 anyone
> 10 !@...^&
>
>
> This looks a lot like http://www.f-secure.com/v-descs/muma.shtml but I
> have not been able to find a description/variant that uses ftp. Is
> this a new version of muma ? Or just some worm / virus that uses the
> same list of users.
> --------------------------------------------------------------------
> Mike Tancsa, tel +1 519 651 3400
> Sentex Communications, mike@...tex.net
> Providing Internet since 1994 www.sentex.net
> Cambridge, Ontario Canada www.sentex.net/mike
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists