Members: 3267
News: 1400
Web Links: 2
We have 6 guests online
|
|
Subscribe to our news and articles by RSS or by email
|
When your server ends up a Warez site. |
|
|
|
- Strange logs from your FTP server
- Obscure^
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
-Intro
About my experiments.
Last week I opened an anonymous ftp site on my home machine, expecting a few connections.
I also wanted to see what people would do if I gave them write access. Within 3-4 days of
my server being up, I got a successful connection from a remote host which created his
own directory named "_kurdt". Later on, I got another connection from a possibly
different visitor, who created a different directory name "020612105639p". Checking
my ftp logs, I learnt that both processes seem automated: within the same second
the user has logged in, created a folder and disconnected from my ftp server. The
third scan consisted of testing upload, deletion and ftp/http miss-configuration.
These attacks are described in detail on the log files section.
FXP and Pub Scanning
"FXP stands for File eXchange Protocol and it let's you copy files from one
FTP-server to another using a FXP-client. Normally you transfer files using
the FTP protocol between your machine and a FTP-server, and the maximum
transfer speed depends on the speed of your Internet connection (e.g. 56k,
cable or T1). When transferring files between two remote hosts using a FXP
client, the maximum transfer speed does not depend on your connection but
only on the connection between the two hosts, which is usually much faster
than your own connection. Because it is a direct connection you will not be
able to see the progress or the transfer speed of the files."
(From http://www.ultimatefxp.f2s.com/tutorials/tutorial.htm)
Technically this means that a client will initiate a PASV ftp connection
from host A to host B, by giving the destination IP of host B as destination.
This attack is normally described as FTP Bounce Attack.
Pub Scanning on the other hand, is about scanning for ftp sites, which
allow you to upload and download your own stuff. Scanning for such ftp
sites can be done either manually using a port scanner or checking each
ftp site using an ftp client, or increasingly using software for the
sole purpose of scanning for such sites. This is described further on in
the Scanning Tools section. Having such access for Warez people means
that they can have large ftp sites with good bandwidth, easily accessible
for trading Warez, mp3s, vcds and so on.
Difference between Warez “D00ds” and Hackers
To the unwary administrator, such activity will look like his ftp site
has been hit by another evil cracker (AEC) [tm]. In reality, the methods
used for pub scanning and FXP are quite similar to patterns generated by
AEC people. However, the scope is quite different. While a cracker will
want to penetrate the system, and maybe the network, to gain access to more
machines, maybe for DDoS (quite pop nowadays) or to deface a site, the
average Warez pub-scanner will probably only want Gigabytes of storage and
bandwidth. That is not to say that exceptions do not exist. Crackers have been
known to leave Warez on servers, and Warez people have also been using
"exploits" (mostly exploiting miss-configuration) to gain better access to
their target hosts. In fact, with Pub-scanning becoming more sophisticated,
methods used by hackers to penetrate hosts on the 'net are increasingly
being used for Warez dissemination. Also, most Warez people will use Windows
as opposed to a certain section of the hacker community that prefers Linux
and *BSDs.
Attacking.
Tools of trade
Grim's Ping is probably one of the most used tools around. Version
1.71 boasts a good number of features:
Features
--------
*Scan specified ports, using a proxy if you wish
*Ping 24.4.4.* IP range
*Host lookup
*Perform "Pub Find" on an infinite number of IP ranges
*Log Wingate engines found, in addition to FTPs
*Wingate usage to protect privacy
*Built in FTP client
*Log or print scan results
*Check write and delete permissions
*Check OS type and FXP/Resume capabilities
*Record speed
*Modify queue to reflect your scanning processes
*Import queue lists from other popular scanning utilities
*Autosave queue
*Many configurable options
As you can see, it supports anything a pub-scanner could wish for.
Gives statistics, supports "anonymity" (as described later on) and
will efficiently do automated scanning for different FTP sites.
As an add-on, Grim has also included Ping Companion, which will u
pload space.asp, an Active Server Page which displays information
about the host. It will also try to upload 1k and 1mb test files
to check whether the ftp server is really capable of hosting a Warez site.
An interesting tool in use is Omega Scanner:
Script Based Internet Scanner
"Omega Scanner is a multi-threaded script based Internet scanner.
With the advantage of scripts, Omega Scanner can be configured
to scan for almost anything - from SMTP to FTP servers. The variety
of scripts included with Omega Scanner shows the power of
script-based Internet scanning.
Omega Scanner supports proxy SOCKS4 and SOCKS5"
Numerous scripts are available for FTP pub and FXP scanning… making
it another tool of choice.
Another tool worth mentioning is FLashFXP ftp client, which
supports ftp to ftp transfer.
Features:
· Local and Site to Site file transfers.
· Fully recursive file transferring.
· Fully recursive deleting.
· FTP Proxy, Socks 4 & 5, HTTP Proxy support.
· Grouped SITE custom commands.
· Anti-idle keeps connection active.
· Caching of directory lists.
· Disconnect Dialup-Networking once transfer has completed.
· Restore broken transfers. (reconnects and restarts file transfer)
· Drag-drop from Windows Explorer.
· System tray minimize.
- Warez Trends
Tagging
Warez traders exist in groups, so that each group will have a couple
of members who actively scan for pubs. Since different warez groups
will target each ftp site, each group creates its own tag, to
claim that ftp site as its own territory.
A tag will typically look something like "-=ACF=-" or "[DVD-R]".
Grim's Ping site hosts a tag list on http://grim.virtualave.net/
addtag.cgi?view . The idea is that ethical pub-scanners, respect
tags and don't upload their own files if the ftp site is already
in use by another group. Of course, non-ethical scanners exist,
and they are sometimes called deleters.
Rating Pubs
Pubs are published on Warez bulletin boards for other users to
upload and abuse. Most lists of pubs will consist of more than
just IP addresses. Typical lists will include the uploadable
directory, delete statistics, that is, if the uploaded files are
delectable by other users, the Operating system of the ftp site,
if the site is able to resume downloads and uploads (a handy
feature when doing huge downloads), if it is FXPable, and the
download speed. Grim's Ping Companion's space.asp, which was
described earlier, will give scanners further information about
the target machine including the name of logical drives, type
of drive, volume name, free and total space, file system for each
drive and version of IIS which is running.
Hiding files
The process of uploading Warez and other goods takes time and
patience. That means that the uploader wouldn't like to have his
directory deleted after a few days (or hours), by the legitimate
administrator, opposing Warez groups or simply clueless roamers.
For this purpose, Warez d00dz have learnt various tricks to hide
their stuff.
The most commonly known method for hiding directories is to
prefix the filename with a dot (.). This will hide the file
on most Unix machines. Another effective method is to use the
tide symbol (~). Many ftp clients will direct the user to the
user directory when he tries to access ~, therefore keeping certain
people out and letting others in. Adding spaces to the folder and
using loads of dummy directories (maze) are other ways the pirate
uses to hide the treasure.
Anonymity
Many pub-scanners are well aware of the risk involved, some of
them will probably have already been tipped off by some ISP or
worse, got their account stopped because of their illegal
activity. Therefore, the use of anonymous proxies, wingates and
socks is quite popular among the community. Some will be
really paranoid and use multiple wingates to bounce their
connection, in hope that it will take much longer to get traced back.
These techniques are better covered in my other article about anonymity
and other issues: "Browsing Websites at your own risk".
Prevention and Post Attack Analysis.
This section is mostly for anyone (mostly administrators) hosting an ftp site.
Log files
During my testing, (i.e. being a honeypot), I configured Serv-U
to log everything to a text file for easy manual parsing. The following entries show pub-scanner's activity:
[5] Thu 07Jun01 13:06:42 - (000004) Connected to 61.170.139.40 (Local address x.x.x.x)
[6] Thu 07Jun01 13:06:42 - (000004) 220 EOS FTP 2.1 Ready ...
[2] Thu 07Jun01 13:06:42 - (000004) user anonymous
[6] Thu 07Jun01 13:06:42 - (000004) 331 User name okay, please send complete E-mail address as password.
[2] Thu 07Jun01 13:06:43 - (000004) pass
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
[5] Thu 07Jun01 13:06:43 - (000004) ANONYMOUS logged in, password:
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
[6] Thu 07Jun01 13:06:43 - (000004) 230 User logged in, proceed.
[2] Thu 07Jun01 13:06:43 - (000004) mkd _kurdt
[6] Thu 07Jun01 13:06:43 - (000004) 257 "/_kurdt" directory created.
[5] Thu 07Jun01 13:06:44 - (000004) Closing connection for user ANONYMOUS (00:00:02 connected)
The above shows the first scan by an pub-scanner. "kurdt" seems to be the nickname (or tag) of the client. Doing a search for _kurdt on google, produced me with some published warez sites. So this clearly confirmed my suspicion. Apart from that he's probably using Omega Scanner with "pub searchin' script.oss", which uses
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
as password.
The second connection produces the following logs:
[5] Tue 12Jun01 10:54:40 - (000003) Connected to 213.51.52.27 (Local address x.x.x.x)
[6] Tue 12Jun01 10:54:41 - (000003) 220 EOS FTP 2.1 Ready ...
[5] Tue 12Jun01 10:54:41 - (000003) IP-Name: CP17725-A.DBSCH1.NB.NL.HOME.COM
[2] Tue 12Jun01 10:54:41 - (000003) USER anonymous
[6] Tue 12Jun01 10:54:41 - (000003) 331 User name okay, please send complete E-mail address as password.
[2] Tue 12Jun01 10:54:41 - (000003) PASS
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
[5] Tue 12Jun01 10:54:41 - (000003) ANONYMOUS logged in, password:
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
[6] Tue 12Jun01 10:54:41 - (000003) 230 User logged in, proceed.
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
is produced by the popular pub-scanner Grim's Ping.
[2] Tue 12Jun01 10:54:41 - (000003) CWD /pub/
[6] Tue 12Jun01 10:54:41 - (000003) 550 /pub: No such file or directory.
[2] Tue 12Jun01 10:54:41 - (000003) CWD /public/
[6] Tue 12Jun01 10:54:41 - (000003) 550 /public: No such file or directory.
[2] Tue 12Jun01 10:54:41 - (000003) CWD /pub/incoming/
[6] Tue 12Jun01 10:54:41 - (000003) 550 /pub/incoming: No such file or directory.
[2] Tue 12Jun01 10:54:42 - (000003) CWD /incoming/
[6] Tue 12Jun01 10:54:42 - (000003) 550 /incoming: No such file or directory.
[2] Tue 12Jun01 10:54:42 - (000003) CWD /_vti_pvt/
[6] Tue 12Jun01 10:54:42 - (000003) 550 /_vti_pvt: No such file or directory.
It immediately tries to search for a directory to write to.
[2] Tue 12Jun01 10:54:42 - (000003) CWD /
[6] Tue 12Jun01 10:54:42 - (000003) 250 Directory changed to /
[2] Tue 12Jun01 10:54:42 - (000003) MKD 020612105639p
[6] Tue 12Jun01 10:54:42 - (000003) 257 "/020612105639p" directory created.
[2] Tue 12Jun01 10:54:42 - (000003) RMD 020612105639p
[6] Tue 12Jun01 10:54:42 - (000003) 550 /020612105639p: Permission denied.
[2] Tue 12Jun01 10:54:42 - (000003) SYST
[6] Tue 12Jun01 10:54:42 - (000003) 215 UNIX Type: L8
[2] Tue 12Jun01 10:54:43 - (000003) REST 1
The following information about my ftp is obtained:
my ftp is writable at the root directory, directories are not deletable and
OS is UNIX.
[6] Tue 12Jun01 10:54:43 - (000003) 350 Restarting at 1 - send STORE or RETRIEVE to initiate transfer.
[2] Tue 12Jun01 10:54:44 - (000003) PASV
[6] Tue 12Jun01 10:54:44 - (000003) 227 Entering Passive Mode (x,x,x,x,11,202)
[2] Tue 12Jun01 10:54:44 - (000003) PORT 207,46,133,140,1,21
The ip: 207.46.133.140:21 is ftp.microsoft.com. This guy is trying to test if my ftp server will allow him to FXP.
[6] Tue 12Jun01 10:54:44 - (000003) 200 PORT Command successful.
[2] Tue 12Jun01 10:54:44 - (000003) CWD ppppppppppppppppppppppppppppppppppppppppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
[6] Tue 12Jun01 10:54:44 - (000003) 550 /pppppppppppppppppppppppppppppppppppppppppppppp
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
pppppppppppppppppppppppppppppppppppppppppppp: No such file or directory.
[2] Tue 12Jun01 10:54:44 - (000003) ppppppppppppppppppppppppppppppppppppppppppppppppppp
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
ppppppppppppppppp
[6] Tue 12Jun01 10:54:44 - (000003) 500 'PPPPPPPPPPPPPPPPPPPPPPPPP': command not understood.
[2] Tue 12Jun01 10:54:44 - (000003) pppppppppppppppppppppppppppppppppppppppppppppppppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
ppppppp
[6] Tue 12Jun01 10:54:44 - (000003) 500 'PPPPPPPPPPPPPPPPPPPPPPPPP': command not understood.
[2] Tue 12Jun01 10:54:44 - (000003) pppppppppppppppppppppppppppppppppppppppppppppppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
ppppppppppp
[6] Tue 12Jun01 10:54:44 - (000003) 500 'PPPPPPPPPPPPPPPPPPPPPPPPP': command not understood.
[2] Tue 12Jun01 10:54:44 - (000003) pppppppppppppppppppppppppppppppppppppppppppppppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
ppppppppppp
[6] Tue 12Jun01 10:54:44 - (000003) 500 'PPPPPPPPPPPPPPPPPPPPPPPPP': command not understood.
[2] Tue 12Jun01 10:54:44 - (000003) pppppppppppppppppppppppppppppppppppppppppppppppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
ppppppppppp
[6] Tue 12Jun01 10:54:44 - (000003) 500 'PPPPPPPPPPPPPPPPPPPPPPPPP': command not understood.
[2] Tue 12Jun01 10:54:44 - (000003) pppppppppppppppppppppppppppppppppppppppppppppppppppppp
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
[6] Tue 12Jun01 10:54:44 - (000003) 500 'PPPPPPPPPPPPPPPPPPPPPPPPP': command not understood.
[5] Tue 12Jun01 10:54:44 - (000003) Closing connection for user ANONYMOUS (00:00:04 connected)
I think this request could be an attempt to overflow the buffer, or simply testing to see
what kind of error it gets to identify the OS (and ftp server software) better. Any ideas
about this one would be most welcome.
Third entry comes from the same host .. the day after:
[5] Wed 13Jun01 14:23:49 - (000019) Connected to 213.51.52.27 (Local address x.x.x.x)
[6] Wed 13Jun01 14:23:49 - (000019) 220 EOS FTP 2.1 Ready ...
[2] Wed 13Jun01 14:23:49 - (000019) USER anonymous
[6] Wed 13Jun01 14:23:49 - (000019) 331 User name okay, please send complete E-mail address as password.
[5] Wed 13Jun01 14:23:49 - (000019) IP-Name: CP17725-A.DBSCH1.NB.NL.HOME.COM
[2] Wed 13Jun01 14:23:49 - (000019) PASS
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
[5] Wed 13Jun01 14:23:49 - (000019) ANONYMOUS logged in, password:
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
[6] Wed 13Jun01 14:23:49 - (000019) 230 User logged in, proceed.
Once again this is Grim's Ping Autmated tool, with Companion software, as you will see further down.
[2] Wed 13Jun01 14:23:49 - (000019) CWD /
[6] Wed 13Jun01 14:23:49 - (000019) 250 Directory changed to /
[2] Wed 13Jun01 14:23:49 - (000019) TYPE I
[6] Wed 13Jun01 14:23:49 - (000019) 200 Type set to I.
[2] Wed 13Jun01 14:23:50 - (000019) PORT 213,51,52,27,17,98
[6] Wed 13Jun01 14:23:50 - (000019) 200 PORT Command successful.
[2] Wed 13Jun01 14:23:50 - (000019) STOR /1mbtest.ptf
The scanner uploads a 1mb test file to the root directory.
[6] Wed 13Jun01 14:23:50 - (000019) 150 Opening BINARY mode data connection for 1mbtest.ptf.
[4] Wed 13Jun01 14:23:50 - (000019) Receiving file d:\anonftp\1mbtest.ptf
[4] Wed 13Jun01 14:25:16 - (000019) Received file d:\anonftp\1mbtest.ptf successfully
(11.9 Kb/sec - 1048578 bytes)
[6] Wed 13Jun01 14:25:16 - (000019) 226-Maximum disk quota limited to 300000 Kbytes
[6] Wed 13Jun01 14:25:16 - (000019) Used disk quota 1024 Kbytes, available 298975 Kbytes
[6] Wed 13Jun01 14:25:16 - (000019) 226 Transfer complete.
[2] Wed 13Jun01 14:25:17 - (000019) PORT 213,51,52,27,6,55
[6] Wed 13Jun01 14:25:17 - (000019) 200 PORT Command successful.
[2] Wed 13Jun01 14:25:17 - (000019) TYPE I
[6] Wed 13Jun01 14:25:17 - (000019) 200 Type set to I.
[2] Wed 13Jun01 14:25:17 - (000019) RETR /1mbtest.ptf
Then it downloads the file back.
[6] Wed 13Jun01 14:25:17 - (000019) 150 Opening BINARY mode data connection for 1mbtest.ptf (1048578 bytes).
[3] Wed 13Jun01 14:25:17 - (000019) Sending file d:\anonftp\1mbtest.ptf
[3] Wed 13Jun01 14:26:29 - (000019) Sent file d:\anonftp\1mbtest.ptf successfully (14.3 Kb/sec - 1048578 bytes)
[6] Wed 13Jun01 14:26:29 - (000019) 226-Maximum disk quota limited to 300000 Kbytes
[6] Wed 13Jun01 14:26:29 - (000019) Used disk quota 1024 Kbytes, available 298975 Kbytes
[6] Wed 13Jun01 14:26:29 - (000019) 226 Transfer complete.
[2] Wed 13Jun01 14:26:29 - (000019) TYPE A
[6] Wed 13Jun01 14:26:29 - (000019) 200 Type set to A.
[2] Wed 13Jun01 14:26:30 - (000019) PORT 213,51,52,27,9,50
[6] Wed 13Jun01 14:26:30 - (000019) 200 PORT Command successful.
[2] Wed 13Jun01 14:26:30 - (000019) LIST -la
[6] Wed 13Jun01 14:26:30 - (000019) 150 Opening ASCII mode data connection for /bin/ls.
[6] Wed 13Jun01 14:26:30 - (000019) 226-Maximum disk quota limited to 300000 Kbytes
[6] Wed 13Jun01 14:26:30 - (000019) Used disk quota 1024 Kbytes, available 298975 Kbytes
[6] Wed 13Jun01 14:26:30 - (000019) 226 Transfer complete.
[2] Wed 13Jun01 14:26:30 - (000019) DELE /1mbtest.ptf
[6] Wed 13Jun01 14:26:30 - (000019) 250 DELE command successful.
And finally delete the test file. Till now the following statistics are gathered from my site:
Upload/Download is abled, my speed, deletable files (i had changed the configuration to
allow deletion of files by the anonymous user).
[2] Wed 13Jun01 14:26:30 - (000019) TYPE A
[6] Wed 13Jun01 14:26:30 - (000019) 200 Type set to A.
[2] Wed 13Jun01 14:26:30 - (000019) PORT 213,51,52,27,9,51
[6] Wed 13Jun01 14:26:30 - (000019) 200 PORT Command successful.
[2] Wed 13Jun01 14:26:31 - (000019) STOR /space.asp
[6] Wed 13Jun01 14:26:31 - (000019) 150 Opening ASCII mode data connection for space.asp.
[4] Wed 13Jun01 14:26:31 - (000019) Receiving file d:\anonftp\space.asp
[4] Wed 13Jun01 14:26:31 - (000019) Received file d:\anonftp\space.asp successfully (4.91 Kb/sec - 2648 bytes)
[6] Wed 13Jun01 14:26:31 - (000019) 226-Maximum disk quota limited to 300000 Kbytes
[6] Wed 13Jun01 14:26:31 - (000019) Used disk quota 2 Kbytes, available 299997 Kbytes
[6] Wed 13Jun01 14:26:31 - (000019) 226 Transfer complete.
This file is included with Grim's Ping companion and will give out information about the
ftp server, as described in the tools section.
At the same moment the following log is found from my HTTP server(IIS/5.0) :
2001-06-13 12:26:38 213.51.52.27 - x.x.x.x 80 GET /space.asp |-|0|404_Object_Not_Found 404 -
Of course, if I had used the same directory for both http and ftp, the asp script would have
executed and given out further information about my machine to the scanner. Also note the timing.
[2] Wed 13Jun01 14:26:38 - (000019) DELE /space.asp
[6] Wed 13Jun01 14:26:38 - (000019) 250 DELE command successful.
[5] Wed 13Jun01 14:26:38 - (000019) Closing connection for user ANONYMOUS (00:02:49 connected)
Once the ASP files is not found on the HTTP server, the scanner just deletes the file,
and leaves little or no trace of his scan and moves on to the next target.
Problems caused by FTP Pub scanning
Till now this is what I got. Maybe if I wait longer I'd find myself full of Warez
and my IP address on some Warez site, IRC channel or bulletin board, with most of
my bandwidth being abused, not that nice. Apart from this Corporate sites could
be targeted by the software makers and accused as distributing illegal software (
Warez) and similar legal issues.
Besides this, there is also the obvious risk of disk space usage, which is limited.
Securing your Server
Securing a server which is vulnerable to this kind of attack it pretty much straight
forward for normal configurations. It should be clear that what pub-scanners are
exploiting is mis-configuration of ftp (and http) servers. If there is no reason to
enable anonymous users to upload files, just disable this functionality. If you need
certain users to upload files, you should consider creating a user and password for
this purpose, and giving them write access (maybe chroot the user).
Another configuration option would be to create a folder for anonymous connections,
which allows uploads but not downloads. his will make downloaders (and probably pub-scanners)
jump to the next target and simply dismiss your ftp site.
HTTP and FTP servers should also have use directories. Having an anonymous ftp
user upload a CGI script to the http server means that depending on the configuration
and web server (we're talking about miss-configured servers here ... ) the user will
have access to execute possibly malicious code on the target host. This attack was
performed on Apache.org back in May 2000, and has probably been around since the use
of CGI scripts in HTTP.
Conclusion
Pub scanning seems to have become a favourite and risky pastime for many
Warez dealers. This occurred maybe due to the fact that Point and Click
Windows Scanners are easily available from professional looking sites.
The fact that in just a week two different scanners hit my testing site,
seems to indicate an increase in such scanning, and should not be under
estimated by the unwary administrator. With the increase in such activity,
new tools and features in existing tools will continue to improve the art of pub scanning.
Reference
Prevention & Incidents
Honeynet - http://project.honeynet.org/scans/arch/scan8.txt
Cert.org tips - http://www.cert.org/tech_tips/anonymous_ftp_config.txt
Same attacks way back in 1993 - http://www.ciac.org/ciac/bulletins/d-19.shtml
Anonymous FTP abuses - http://www.bris.ac.uk/is/services/networks/anonftp/anonftp2.html
FTP BOUNCE Attack - http://packetstorm.securify.com/UNIX/scanners/hobbit.ftpbounce.txt
Software
Grim's Ping and other tools - http://grimsping.cjb.net/downloads.htm
Omega Scanner - http://www.cybercoderz.com/
Tutorials
Net Knowledge Base - http://www.netknowledgebase.com/
Neuromancer's Tutorial Page! - http://neuro2k.homestead.com/files/index.html
The 'Art' of pub scanning - http://www.jestrix.net/tuts/scan.html
FTP RFC
FTP RFC - http://www.faqs.org/rfcs/rfc959.html
Internet Host Requirments - http://www.faqs.org/rfcs/rfc1123.html
Discussion Boards
SWL FORUM - http://swlforum.cjb.net/
Net knowledgebase forum - http://www.netknowledgebase.com/forum/index.php
Grim's Ping Forum - http://workshops.prohosting.com/grimsping/webboard/webboard.cgi
Glossary
FTP: File Transfer Protocol. use to transfer files between hosts, and consists of
a server on one side and a client on another.
IP address: Internet protocol address. Each active machine on the internet
has an IP address.
Warez: Illegal/Copyrighted software.
FXP: File Exchange Protocol. Not a protocol in itself AFAIK, but used
by pub scanners to describe the process of coping software from one server
to another directly using Passive mode ftp.
PUB: Public Folder. Can allow uploading to and downloading from to
exchange software and data.
Scanning: Searching for a certain type of host by checking a range of
IP addresses.
Pub-scanning: Scanning for PUBs. Basically searching for an ftp site
which allows users to freely upload and download software.
Exploit: Taking advantage of a security problem.
SOCKS: Allows machines to connect to other hosts via this service.
CGI script: A server-side script which executes custom code to extend functionality of the web server.
|
© 2008 DataStronghold.com
Joomla! is Free Software released under the GNU/GPL License.
|
|
