[Snort-sigs] Sig for Grim's Ping FTP scanner tool

From: JP Vossen <vossenjp(at)netaxs.com>
Date: Sat Aug 02 2003 - 02:01:49 EDT

Capture file created as follows, and even though -h was defined it obfuscated both addresses... Let me know how to fix it and I'll run it again. Running Snort 2.0.1 (Build 88).

snort -qOb -h 66.xx.xx.xx/32 -r snort.log.1059710464 host 81.51.2.204

The capture is from a Honeypot that spoofs FTP servers (THP) so it looks like the exploit worked, but it really didn't.

---

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:
alert tcp any any -> any 21 (msg:"Grim's Ping public ftp scanning tool"; content:"PASS "; content:"gpuser@home.com"; reference:URL,archives.neohapsis.com/archives/snort/2002-04/0448.html; reference:URL,grimsping.cjb.net; classtype:network-scan; sid:1110000; rev:1;)
--

Sid:
Bogus: 1110000
--

Summary:
Detects 'Grim's Ping' which amoung other things looks for world writable FTP servers.
--

Impact:
If the tool succeeds in its tests, you are probably running a world writable FTP server. If so, it will be exploited, probably for illegal purposes. You need to correct the configuration on the server.
--

Detailed Information:
The string ?gpuserhome.com is a signature of the Grim's Ping public ftp scanning tool. This tool prepends the string "gpuser" with a random upper case letter. It then checks for the existence of directories and which of those might allow writing. The tool is configurable and also acts as a port and proxy scanner.
--

Affected Systems:
Any poorly configured FTP server.
--

Attack Scenarios:
Kiddies looking for poorly configured servers to store Warez on, etc.
--

Ease of Attack:
Trivial. 'Grim's Ping' is a Windows GUI program.
--

False Positives:
Any legitimate user with a password containing the substring 'gpuser@home.com' will trigger this alert.
--

False Negatives:
None known.
--

Corrective Action:
Rebuild the server since it's probably been hackedm then make sure you have corrected the FTP configuration.
--

Contributors:
JP Vossen <jp{at}jpsdomain{dot}org>
Safka <safk{at}riad{dot}rr{dot}com>
--

Additional References:
archives.neohapsis.com/archives/snort/2002-04/0448.html grimsping.cjb.net

------------------------------|:::======|--------------------------------

JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       
http://www.jpsdomain.org/

------------------------------|=========|--------------------------------


"The software said it requires Windows XP or better, so I installed

Linux..."

---

This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigsReceived on Sat Aug 2 02:35:49 2003