RE: ano@ano.com ftpd dip.t-dialin.net

Dear Owen,

The incidents you describe are caused by a popular cracker tool / wellknown  vulnerability scanner called "FX-Scanner". It indeed seems most popular in Germany. I was looking for it because I was noticing TCP:57 attempts for some time now in my (Linux) logs. A long Google search directed me to a message submitted by Johannes Ullrich at http://isc.incidents.org/show_comment.html?id=28 and finally to http://www.fx-tools.net

In fact, the attack pattern of FX-Scanner V.030 beta is as follows:

(1) One ping (ICMP)

(2) If port 80 (http) is open, a large number of IIS-hacks. These are
defined by a file called "unicode.txt" included in the package. This file contains 77 plain-text lines intended to exploit well known ISS "unicode" vulnerabilities. However, the cracker can modify this file at will, so expect some different patterns here.

(3) Two attempts to TCP:57 (TCP port 57). According to Johannes Ullrich
the reason to do this is because the port is normally CLOSED.

(4) Three TCP:21 (ftp) attempts if closed. As said, I don't run ftpd's
so I don't know what would happen if ftpd runs. However, the fx-scanner V.030 beta package includes the following file:

07/07/02 07:40p 104,154 file.txt 9a5c9475663ad6dcf53f42446972a7b1 *file.txt

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

so probably that file is planted using user-specified or random names; contents are binary crap as you describe. The file "scanner.ini" also included contains the following lines (among others):

ftp_Uname=anonymous
ftp_UPassword=ano@ano.com
ftp_Port=21

I played around with the tool a bit on a WXP testsetup (no network cable) while listening on TCP:57 using NETCAT and confirmed that indeed fx-scanner connects to the port mentioned. Please note: running such a program against a public net is simply NOT DONE and hopefully/probably illegal. If you consider (don't) to do just that, note that the tool is remotely controllable; it listens to TCP port 4113 and uses the default password "fxadmin" (both are variables in the ini file). It may also include other, unspecified, backdoors. Although I did not monitor behavior using a sniffer, the "Ring_Server=True" line in the ini-file suggests that fx-scanner may call home when run (it could also be the ping though). The remote control program is included in the package.

BTW I wouldn't be surprised if the number of German badguys using this tool is significantly less than one may think. Blackhats may have found ways to install this tool on PC's from innocent (but clueless) T-Online dialup/ADSL users (perhaps via KaZaa or whatever), and are controlling them remotely. The blackhats may be Germans, but obviously that is not necessarily the case. However, I'm purely speculating here.

Cheers!

Erik van Straten