[Snort-sigs] Sig for Grim's Ping FTP scanner tool

JP Vossen vossenjp at ...1431...
Fri Aug 1 23:03:03 EDT 2003

Capture file created as follows, and even though -h was defined it
obfuscated both addresses...  Let me know how to fix it and I'll run it
again.  Running Snort 2.0.1 (Build 88).

snort -qOb -h 66.xx.xx.xx/32 -r snort.log.1059710464 host

The capture is from a Honeypot that spoofs FTP servers (THP) so it looks
like the exploit worked, but it really didn't.


# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

alert tcp any any -> any 21 (msg:"Grim's Ping public ftp scanning tool";
content:"PASS "; content:"gpuser at ...1437...";
reference:URL,grimsping.cjb.net; classtype:network-scan; sid:1110000; rev:1;)
Bogus: 1110000
Detects 'Grim's Ping' which amoung other things looks for world writable
FTP servers.
If the tool succeeds in its tests, you are probably running a world
writable FTP server. If so, it will be exploited, probably for illegal
purposes. You need to correct the configuration on the server.
Detailed Information:
The string ?gpuserhome.com is a signature of the Grim's Ping public ftp
scanning tool. This tool prepends the string "gpuser" with a random upper
case letter. It then checks for the existence of directories and which of
those might allow writing. The tool is configurable and also acts as a
port and proxy scanner.
Affected Systems:
Any poorly configured FTP server.
Attack Scenarios:
Kiddies looking for poorly configured servers to store Warez on, etc.
Ease of Attack:
Trivial.  'Grim's Ping' is a Windows GUI program.
False Positives:
Any legitimate user with a password containing the substring
'gpuser at ...1437...' will trigger this alert.
False Negatives:
None known.
Corrective Action:
Rebuild the server since it's probably been hackedm then make sure you
have corrected the FTP configuration.
JP Vossen <jp{at}jpsdomain{dot}org>
Safka <safk{at}riad{dot}rr{dot}com>
Additional References:

JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
"The software said it requires Windows XP or better, so I installed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gpuser.pcap
Type: application/octet-stream
Size: 2191 bytes
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030801/916c953c/attachment.obj>

More information about the Snort-sigs mailing list