[Snort-users] Interesting ftp traffic

Michael Kopach kopam at ...7200...
Thu Oct 17 07:16:44 EDT 2002


Has anyone seen one of these before??


Oct 12 13:46:36 <server> proftpd[1582]: connect from
pD9511D26.dip.t-dialin.net
Oct 12 13:46:37 <server> proftpd[1582]: <server>
(pD9511D26.dip.t-dialin.net[217.81.29.38]) - FTP session opened. 
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:46:38] "MKD
_pringles" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:46:40] "PWD "
-
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:46:41] "CWD
temp" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:46:42] "MKD
_pringles" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:46:44] "PWD "
-
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:46:45] "CWD
tmp" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:46:47] "MKD
_pringles" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:46:48] "PWD "
-
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:46:50] "CWD
anonymous/_vti_pvt" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:46:51] "MKD
_pringles" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:46:53] "PWD "
-
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:46:54] "CWD
anonymous/incoming" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:46:55] "MKD
_pringles" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:46:57] "PWD "
-
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:46:58] "CWD
mailroot" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:46:59] "MKD
_pringles" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:01] "PWD "
-
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:02] "CWD
ftproot" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:03] "MKD
_pringles" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:05] "PWD "
-
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:06] "CWD
anonymous/pub" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:08] "MKD
_pringles" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:09] "PWD "
-
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:10] "CWD
anonymous/public" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:12] "MKD
_pringles" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:13] "PWD "
-
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:14] "CWD
_vti_cnf" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:16] "MKD
_pringles" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:17] "PWD "
-
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:21] "CWD
anonymous/_vti_cnf" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:22] "MKD
_pringles" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:24] "PWD "
-
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:25] "CWD
images" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:26] "MKD
_pringles" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:27] "PWD "
-
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:28] "CWD
_private" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:29] "MKD
_pringles" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:30] "PWD "
-
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:32] "CWD
cgi-bin" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:33] "MKD
_pringles" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:35] "PWD "
-
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:36] "CWD
usr" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:37] "MKD
_pringles" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:39] "PWD "
-
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:40] "CWD
usr/incoming" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:42] "MKD
_pringles" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:43] "PWD "
-
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:44] "CWD
home" -
pD9511D26.dip.t-dialin.net 217.81.29.38 [1582] nobody [13:47:46] "MKD
_pringles" -
Oct 12 13:47:47 <server> proftpd[1582]: <server>
(pD9511D26.dip.t-dialin.net[217.81.29.38]) - FTP session closed. 

Fortunately I did not find any "_pringles" directory and no other
damage seemed to be done.

Thanks .... Mike







More information about the Snort-users mailing list