[Snort-sigs] Sig for Grim's Ping FTP scanner tool

JP Vossen vossenjp at ...1431...
Fri Aug 1 23:03:03 EDT 2003


Capture file created as follows, and even though -h was defined it
obfuscated both addresses...  Let me know how to fix it and I'll run it
again.  Running Snort 2.0.1 (Build 88).

snort -qOb -h 66.xx.xx.xx/32 -r snort.log.1059710464 host 81.51.2.204

The capture is from a Honeypot that spoofs FTP servers (THP) so it looks
like the exploit worked, but it really didn't.

~~~~~~~~~~~~~~~~~~~~~~~~~

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:
alert tcp any any -> any 21 (msg:"Grim's Ping public ftp scanning tool";
content:"PASS "; content:"gpuser at ...1437...";
reference:URL,archives.neohapsis.com/archives/snort/2002-04/0448.html;
reference:URL,grimsping.cjb.net; classtype:network-scan; sid:1110000; rev:1;)
--
Sid:
Bogus: 1110000
--
Summary:
Detects 'Grim's Ping' which amoung other things looks for world writable
FTP servers.
--
Impact:
If the tool succeeds in its tests, you are probably running a world
writable FTP server. If so, it will be exploited, probably for illegal
purposes. You need to correct the configuration on the server.
--
Detailed Information:
The string ?gpuserhome.com is a signature of the Grim's Ping public ftp
scanning tool. This tool prepends the string "gpuser" with a random upper
case letter. It then checks for the existence of directories and which of
those might allow writing. The tool is configurable and also acts as a
port and proxy scanner.
--
Affected Systems:
Any poorly configured FTP server.
--
Attack Scenarios:
Kiddies looking for poorly configured servers to store Warez on, etc.
--
Ease of Attack:
Trivial.  'Grim's Ping' is a Windows GUI program.
--
False Positives:
Any legitimate user with a password containing the substring
'gpuser at ...1437...' will trigger this alert.
--
False Negatives:
None known.
--
Corrective Action:
Rebuild the server since it's probably been hackedm then make sure you
have corrected the FTP configuration.
--
Contributors:
JP Vossen <jp{at}jpsdomain{dot}org>
Safka <safk{at}riad{dot}rr{dot}com>
-- 
Additional References:
archives.neohapsis.com/archives/snort/2002-04/0448.html
grimsping.cjb.net



------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows XP or better, so I installed
Linux..."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gpuser.pcap
Type: application/octet-stream
Size: 2191 bytes
Desc: 
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030801/916c953c/attachment.obj>


More information about the Snort-sigs mailing list