[Snort-sigs] Sig for gpuser at ...1437...

JP Vossen vossenjp at ...1431...
Sat Apr 5 16:48:04 EST 2003


I was poking around in some data collected on a Honeypot and came across
someone logging into to a fake FTP server with a password of
"Dgpuser at ...1437...".  Google searches for "Dgpuser at ...1437..." and
"gpuser at ...1437..." returned among others:
http://archives.neohapsis.com/archives/snort/2002-04/0448.html

"The sting [sic] Dgpuser at ...1437... is a signature of the Grim's Ping public ftp
scanning tool. This tool prepends the string "gpuser" with a random upper case
letter. It then checks for the existence of directories and which of those
might allow writing as shown by the attempt to MKD in the log provided. The
tool is configurable and also acts as a port and proxy scanner.
http://grimsping.cjb.net/"


So then I checked http://www.snort.org/dl/rules/snortrules-stable.tar.gz with
grep -i gpuser *.rules and found nothing.

It seems to me this is a perfect FTP or scan rule.  Am I missing something?
Otherwise, if there is any interest I'll take a stab at a rule.

Later,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|                jp at ...1432...
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows 98 or better, so I installed
Linux..."





More information about the Snort-sigs mailing list