[Snort-sigs] Sig for gpuser at ...1437...

John Hally JHally at ...1106...
Mon Apr 7 06:32:04 EDT 2003

sounds good to me.

-----Original Message-----
From: JP Vossen [mailto:vossenjp at ...1431...]
Sent: Saturday, April 05, 2003 7:47 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Sig for gpuser at ...1437...

I was poking around in some data collected on a Honeypot and came across
someone logging into to a fake FTP server with a password of
"Dgpuser at ...1437...".  Google searches for "Dgpuser at ...1437..." and
"gpuser at ...1437..." returned among others:

"The sting [sic] Dgpuser at ...1437... is a signature of the Grim's Ping public
scanning tool. This tool prepends the string "gpuser" with a random upper
letter. It then checks for the existence of directories and which of those
might allow writing as shown by the attempt to MKD in the log provided. The
tool is configurable and also acts as a port and proxy scanner.

So then I checked http://www.snort.org/dl/rules/snortrules-stable.tar.gz
grep -i gpuser *.rules and found nothing.

It seems to me this is a perfect FTP or scan rule.  Am I missing something?
Otherwise, if there is any interest I'll take a stab at a rule.

JP Vossen, CISSP              |:::======|                jp at ...1432...
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
"The software said it requires Windows 98 or better, so I installed

This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list