Hosting Provided By

RE: ano@ano.com ftpd dip.t-dialin.net

From: Rick Darsey <rdarsey(at)aims1.com>
Date: Thu Nov 07 2002 - 08:50:19 EST

Although I have not seen this particular item, I have blocked any access from
dip-t-dial.net to any of my servers. Over the last 2 years, I have seen repeated
attempts to log into my ftp servers using various exploits, and attempts to gain
access to these servers via telnet. I have notified the admins at "dipsters" several
times, with no success. It would seem that there are a number of hackers/crackers that
work from dip-t, or spoof the IP block, and the admins do not seem to think it is
necessary to do anything about it. Another one is wanadoo.fr, I have seen the same
pattern of attempts from them as well.

Rick

-----Original Message-----
From: Owen McCusker [mailto:mccusker@sonalysts.com] Sent: Wednesday, November 06, 2002 3:50 PM To: incidents@securityfocus.com
Subject: ano@ano.com ftpd dip.t-dialin.net

I have seen some interesting access on a few anonymous ftp servers logs.

The following sequence occurs:
1) The user logs on anonymously with the username ano@ano.com. 2) user transfers a repeating binary file XXX.XXX where the X is a digit (e.g. 471.995)

the file has a repeating pattern to it. the file size is: 104154 (bytes)
file name was: 471.995 (maybe a sequencing number for reassembly...)

constents look like: (via text editor)

Do you need help?

.3›;ØÎšŸg3pBØÇ=´g?Ãä?[o¼g‡Ãò?«šgÝÃA?[š\ÃO?[Ã;g3›4?[Ãdr3.............

(maybe encrypted text?)
3) The user accesses the file later on.

The users are from dip.t-dial.net, the user RIPE the description includes:

Deutsche Telekom AG, Internet Service Provider, CeBIT 99

I am not sure what these users are doing. Maybe they are trying to setup someway to perform "store and forward" services via anonymous FTP.

Maybe this is somehow related to the same scheme devised using iroffer ( aka DCC bot).

Has anyone else seen this type of activity from dip.t-dialin.net or dipsters for short. ;-)?

Owen

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu Nov 7 13:49:24 2002

Do you need more help?

This message: [ Message body ]
Next message: Dave Laird: "Re: ano@ano.com ftpd dip.t-dialin.net"
Previous message: Keith T. Morgan: "Script I haven't seen? Or human directed?"
In reply to: Owen McCusker: "ano@ano.com ftpd dip.t-dialin.net"
Next in thread: Valdis.Kletnieks(at)vt.edu: "Re: ano@ano.com ftpd dip.t-dialin.net"
Reply: Valdis.Kletnieks(at)vt.edu: "Re: ano@ano.com ftpd dip.t-dialin.net"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:50 EDT