When your server ends up a Warez site

By: Obscure

This article first appeared over at our affiliates site Eye on Security. The original article can be found here

Last week I opened an anonymous ftp site on my home machine, expecting a few connections. I also wanted to see what people would do if I gave them write access. Within 3-4 days of my server being up, I got a successful connection
from a remote host which created his own directory named "_kurdt". Later on, I got another connection from a possibly different visitor, who created a different directory name "020612105639p". Checking my ftp logs, I learnt that both
processes seem automated: within the same second the user has logged in, created a folder and disconnected from my ftp server. The third scan consisted of testing upload, deletion and ftp/http miss-configuration. These attacks are
described in detail on the log files section.

FXP and Pub Scanning
"FXP stands for File eXchange Protocol and it let's you
copy files from one FTP-server to another using a FXP-client. Normally you
transfer files using the FTP protocol between your machine and a FTP-server, and
the maximum transfer
speed depends on the speed of your Internet connection (e.g. 56k, cable or T1).
When transferring files between two remote hosts using a FXP client, the maximum
transfer speed does not depend on your connection but only on the connection
between the two hosts, which is usually much faster than your own connection.
Because it is a direct connection you will not be able to see the progress or
the transfer speed of the files."   
(From http://www.ultimatefxp.f2s.com/tutorials/tutorial.htm)
Technically this means that a client will initiate a PASV ftp
connection from host A to host B, by giving the destination IP of host B as
destination. This attack is normally described as FTP Bounce Attack. Pub
Scanning on the other hand, is about scanning for ftp sites, which allow you to
upload and download your own stuff. Scanning for such ftp sites can be done
either manually using a port scanner or checking each ftp site using an ftp
client, or increasingly using software for the sole purpose of scanning for such
sites. This is described further on in the Scanning Tools section. Having such
access for Warez people means that they can have large ftp sites with good
bandwidth, easily
accessible for trading Warez, mp3s, vcds and so on.
Difference between Warez “D00ds” and Hackers
To the unwary administrator, such activity will look like his
ftp site has been hit by another evil cracker (AEC) [tm]. In reality, the
methods used for pub scanning and FXP are quite similar to patterns generated by
AEC people.
However, the scope is quite different. While a cracker will want to penetrate
the system, and maybe the network, to gain access to more machines, maybe for
DDoS (quite pop nowadays) or to deface a site, the average Warez
pub-scanner will probably only want Gigabytes of storage and bandwidth. That is
not to say that exceptions do not exist. Crackers have been known to leave Warez
on servers, and Warez people have also been using "exploits"
(mostly exploiting miss-configuration) to gain better access to their target
hosts. In fact, with Pub-scanning becoming more sophisticated, methods used by
hackers to penetrate hosts on the 'net are increasingly being used for Warez
dissemination. Also, most Warez people will use Windows as opposed to a certain
section of the hacker community that prefers Linux and *BSDs.
Attacking.
Tools of trade
Grim's Ping is probably one of the most used tools around.
Version 1.71 boasts a good number of features:
Features
--------
*Scan specified ports, using a proxy if you wish
*Ping 24.4.4.* IP range
*Host lookup
*Perform "Pub Find" on an infinite number of IP ranges
*Log Wingate engines found, in addition to FTPs
*Wingate usage to protect privacy
*Built in FTP client
*Log or print scan results
*Check write and delete permissions
*Check OS type and FXP/Resume capabilities
*Record speed
*Modify queue to reflect your scanning processes
*Import queue lists from other popular scanning utilities
*Autosave queue
*Many configurable options
As you can see, it supports anything a pub-scanner could wish
for. Gives statistics, supports "anonymity" (as described later on)
and will efficiently do automated scanning for different FTP sites. As an
add-on, Grim has also included Ping Companion, which will upload space.asp, an
Active Server Page which displays information about the host. It will also try
to upload 1k and 1mb test files to check whether the ftp server is really
capable of hosting a Warez site.
An interesting tool in use is Omega Scanner:
Script Based Internet Scanner
"Omega Scanner is a multi-threaded script based Internet
scanner. With the advantage of scripts, Omega Scanner can be configured to scan
for almost anything - from SMTP to FTP servers. The variety of scripts included
with Omega
Scanner shows the power of script-based Internet scanning. Omega Scanner
supports proxy SOCKS4 and SOCKS5" Numerous scripts are available for FTP
pub and FXP scanning… making it another tool of choice. Another tool worth
mentioning is FLashFXP ftp client, which supports ftp to ftp transfer.
Features:
· Local and Site to Site file transfers.
· Fully recursive file transferring.
· Fully recursive deleting.
· FTP Proxy, Socks 4 & 5, HTTP Proxy support.
· Grouped SITE custom commands.
· Anti-idle keeps connection active.
· Caching of directory lists.
· Disconnect Dialup-Networking once transfer has completed.
· Restore broken transfers. (reconnects and restarts file transfer)
· Drag-drop from Windows Explorer.
· System tray minimize.
- Warez Trends
Tagging
Warez traders exist in groups, so that each group will have a
couple of members who actively scan for pubs. Since different warez groups will
target each ftp site, each group creates its own tag, to claim that ftp site as
its own territory.
A tag will typically look something like "-=ACF=-"
or "[DVD-R]". Grim's Ping site hosts a tag list on http://grim.virtualave.net/addtag.cgi?view
. The idea is that ethical pub-scanners, respect tags and don't upload their own
files if the ftp site is already in use by another group. Of course, non-ethical
scanners exist, and they are sometimes called deleters.
Rating Pubs
Pubs are published on Warez bulletin boards for other users to
upload and abuse. Most lists of pubs will consist of more than just IP
addresses. Typical lists will include the uploadable directory, delete
statistics, that is, if the uploaded files are
delectable by other users, the Operating system of the ftp site, if the site is
able to resume downloads and uploads (a handy feature when doing huge
downloads), if it is FXPable, and the download speed. Grim's Ping Companion's
space.asp,
which was described earlier, will give scanners further information about the
target machine including the name of logical drives, type of drive, volume name,
free and total space, file system for each drive and version of IIS which is
running.
Hiding files
The process of uploading Warez and other goods takes time and
patience. That means that the uploader wouldn't like to have his directory
deleted after a few days (or hours), by the legitimate administrator, opposing
Warez groups or simply clueless roamers. For this purpose, Warez d00dz have
learnt various tricks to hide their stuff. The most commonly known method for
hiding directories is to prefix the filename with a dot (.). This will hide the
file on most
Unix machines. Another effective method is to use the tide symbol (~). Many ftp
clients will direct the user to the user directory when he tries to access ~,
therefore keeping certain people out and letting others in. Adding spaces to the
folder
and using loads of dummy directories (maze) are other ways the pirate uses to
hide the treasure.
Anonymity
Many pub-scanners are well aware of the risk involved, some of
them will probably have already been tipped off by some ISP or worse, got their
account stopped because of their illegal activity. Therefore, the use of
anonymous proxies, wingates and socks is quite popular among the community. Some
will be really paranoid and use multiple wingates to bounce their connection, in
hope that it will take much longer to get traced back. These techniques are
better covered in my other article about anonymity and other issues:
"Browsing Websites at your own risk".
Prevention and Post Attack Analysis.
This section is mostly for anyone (mostly administrators)
hosting an ftp site.

Log files
During my testing, (i.e. being a honeypot), I configured Serv-U
to log everything to a text file for easy manual parsing.
The following entries show pub-scanner's activity:
[5] Thu 07Jun01 13:06:42 - (000004) Connected to 61.170.139.40
(Local address x.x.x.x)
[6] Thu 07Jun01 13:06:42 - (000004) 220 EOS FTP 2.1 Ready ...
[2] Thu 07Jun01 13:06:42 - (000004) user anonymous
[6] Thu 07Jun01 13:06:42 - (000004) 331 User name okay, please send complete
E-mail address as password.
[2] Thu 07Jun01 13:06:43 - (000004) pass ncoic77@hotmail.com
[5] Thu 07Jun01 13:06:43 - (000004) ANONYMOUS logged in, password: NCOIC77@HOTMAIL.COM
[6] Thu 07Jun01 13:06:43 - (000004) 230 User logged in, proceed.
[2] Thu 07Jun01 13:06:43 - (000004) mkd _kurdt
[6] Thu 07Jun01 13:06:43 - (000004) 257 "/_kurdt" directory created.
[5] Thu 07Jun01 13:06:44 - (000004) Closing connection for user ANONYMOUS
(00:00:02 connected)

The above shows the first scan by an pub-scanner. "kurdt" seems to be
the nickname (or tag) of the client. Doing a search for _kurdt on google,
produced me with some published warez sites. So this clearly confirmed my
suspicion.
Apart from that he's probably using Omega Scanner with "pub searchin'
script.oss", which uses ncoic77@hotmail.com
as password.
The second connection produces the following logs:
[5] Tue 12Jun01 10:54:40 - (000003) Connected to 213.51.52.27
(Local address x.x.x.x)
[6] Tue 12Jun01 10:54:41 - (000003) 220 EOS FTP 2.1 Ready ...
[5] Tue 12Jun01 10:54:41 - (000003) IP-Name: CP17725-A.DBSCH1.NB.NL.HOME.COM
[2] Tue 12Jun01 10:54:41 - (000003) USER anonymous
[6] Tue 12Jun01 10:54:41 - (000003) 331 User name okay, please send complete
E-mail address as password.
[2] Tue 12Jun01 10:54:41 - (000003) PASS guest@here.com
[5] Tue 12Jun01 10:54:41 - (000003) ANONYMOUS logged in, password: GUEST@HERE.COM
[6] Tue 12Jun01 10:54:41 - (000003) 230 User logged in, proceed.
Guest@here.com is produced by the popular pub-scanner Grim's
Ping.
[2] Tue 12Jun01 10:54:41 - (000003) CWD /pub/
[6] Tue 12Jun01 10:54:41 - (000003) 550 /pub: No such file or directory.
[2] Tue 12Jun01 10:54:41 - (000003) CWD /public/
[6] Tue 12Jun01 10:54:41 - (000003) 550 /public: No such file or directory.
[2] Tue 12Jun01 10:54:41 - (000003) CWD /pub/incoming/
[6] Tue 12Jun01 10:54:41 - (000003) 550 /pub/incoming: No such file or
directory.
[2] Tue 12Jun01 10:54:42 - (000003) CWD /incoming/
[6] Tue 12Jun01 10:54:42 - (000003) 550 /incoming: No such file or directory.
[2] Tue 12Jun01 10:54:42 - (000003) CWD /_vti_pvt/
[6] Tue 12Jun01 10:54:42 - (000003) 550 /_vti_pvt: No such file or directory.
It immediately tries to search for a directory to write to.
[2] Tue 12Jun01 10:54:42 - (000003) CWD /
[6] Tue 12Jun01 10:54:42 - (000003) 250 Directory changed to /
[2] Tue 12Jun01 10:54:42 - (000003) MKD 020612105639p
[6] Tue 12Jun01 10:54:42 - (000003) 257 "/020612105639p" directory
created.
[2] Tue 12Jun01 10:54:42 - (000003) RMD 020612105639p
[6] Tue 12Jun01 10:54:42 - (000003) 550 /020612105639p: Permission denied.
[2] Tue 12Jun01 10:54:42 - (000003) SYST
[6] Tue 12Jun01 10:54:42 - (000003) 215 UNIX Type: L8
[2] Tue 12Jun01 10:54:43 - (000003) REST 1
The following information about my ftp is obtained:
my ftp is writable at the root directory, directories are not deletable and
OS is UNIX.
[6] Tue 12Jun01 10:54:43 - (000003) 350 Restarting at 1 - send
STORE or RETRIEVE to initiate transfer.
[2] Tue 12Jun01 10:54:44 - (000003) PASV
[6] Tue 12Jun01 10:54:44 - (000003) 227 Entering Passive Mode (x,x,x,x,11,202)
[2] Tue 12Jun01 10:54:44 - (000003) PORT 207,46,133,140,1,21
The ip: 207.46.133.140:21 is ftp.microsoft.com. This guy is
trying to test if my ftp server will allow him to FXP.
[6] Tue 12Jun01 10:54:44 - (000003) 200 PORT Command
successful.
[2] Tue 12Jun01 10:54:44 - (000003) CWD
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
[6] Tue 12Jun01 10:54:44 - (000003) 550 /ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
ppppppppppppppppppppppppppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp: No such file or
directory.
[2] Tue 12Jun01 10:54:44 - (000003)
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
[6] Tue 12Jun01 10:54:44 - (000003) 500 'PPPPPPPPPPPPPPPPPPPPPPPPP': command not
understood.
[2] Tue 12Jun01 10:54:44 - (000003)
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
[6] Tue 12Jun01 10:54:44 - (000003) 500 'PPPPPPPPPPPPPPPPPPPPPPPPP': command not
understood.
[2] Tue 12Jun01 10:54:44 - (000003)
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
[6] Tue 12Jun01 10:54:44 - (000003) 500 'PPPPPPPPPPPPPPPPPPPPPPPPP': command not
understood.
[2] Tue 12Jun01 10:54:44 - (000003)
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
[6] Tue 12Jun01 10:54:44 - (000003) 500 'PPPPPPPPPPPPPPPPPPPPPPPPP': command not
understood.
[2] Tue 12Jun01 10:54:44 - (000003)
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
[6] Tue 12Jun01 10:54:44 - (000003) 500 'PPPPPPPPPPPPPPPPPPPPPPPPP': command not
understood.
[2] Tue 12Jun01 10:54:44 - (000003)
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
[6] Tue 12Jun01 10:54:44 - (000003) 500 'PPPPPPPPPPPPPPPPPPPPPPPPP': command not
understood.
[5] Tue 12Jun01 10:54:44 - (000003) Closing connection for user ANONYMOUS
(00:00:04 connected)
I think this request could be an attempt to overflow the
buffer, or simply testing to see what kind of error it gets to identify
the OS (and ftp server software) better. Any ideas about this one would be most
welcome.

Third entry comes from the same host .. the day after:
[5] Wed 13Jun01 14:23:49 - (000019) Connected to 213.51.52.27
(Local address x.x.x.x)
[6] Wed 13Jun01 14:23:49 - (000019) 220 EOS FTP 2.1 Ready ...
[2] Wed 13Jun01 14:23:49 - (000019) USER anonymous
[6] Wed 13Jun01 14:23:49 - (000019) 331 User name okay, please send complete
E-mail address as password.
[5] Wed 13Jun01 14:23:49 - (000019) IP-Name: CP17725-A.DBSCH1.NB.NL.HOME.COM
[2] Wed 13Jun01 14:23:49 - (000019) PASS guest@here.com
[5] Wed 13Jun01 14:23:49 - (000019) ANONYMOUS logged in, password: GUEST@HERE.COM
[6] Wed 13Jun01 14:23:49 - (000019) 230 User logged in, proceed.
Once again this is Grim's Ping Autmated tool, with Companion
software, as you will see further down.
[2] Wed 13Jun01 14:23:49 - (000019) CWD /
[6] Wed 13Jun01 14:23:49 - (000019) 250 Directory changed to /
[2] Wed 13Jun01 14:23:49 - (000019) TYPE I
[6] Wed 13Jun01 14:23:49 - (000019) 200 Type set to I.
[2] Wed 13Jun01 14:23:50 - (000019) PORT 213,51,52,27,17,98
[6] Wed 13Jun01 14:23:50 - (000019) 200 PORT Command successful.
[2] Wed 13Jun01 14:23:50 - (000019) STOR /1mbtest.ptf
The scanner uploads a 1mb test file to the root directory.
[6] Wed 13Jun01 14:23:50 - (000019) 150 Opening BINARY mode
data connection for 1mbtest.ptf.
[4] Wed 13Jun01 14:23:50 - (000019) Receiving file d:anonftp1mbtest.ptf
[4] Wed 13Jun01 14:25:16 - (000019) Received file d:anonftp1mbtest.ptf
successfully (11.9 Kb/sec - 1048578 bytes)
[6] Wed 13Jun01 14:25:16 - (000019) 226-Maximum disk quota limited to 300000
Kbytes
[6] Wed 13Jun01 14:25:16 - (000019) Used disk quota 1024 Kbytes, available
298975 Kbytes
[6] Wed 13Jun01 14:25:16 - (000019) 226 Transfer complete.
[2] Wed 13Jun01 14:25:17 - (000019) PORT 213,51,52,27,6,55
[6] Wed 13Jun01 14:25:17 - (000019) 200 PORT Command successful.
[2] Wed 13Jun01 14:25:17 - (000019) TYPE I
[6] Wed 13Jun01 14:25:17 - (000019) 200 Type set to I.
[2] Wed 13Jun01 14:25:17 - (000019) RETR /1mbtest.ptf
Then it downloads the file back.
[6] Wed 13Jun01 14:25:17 - (000019) 150 Opening BINARY mode
data connection for 1mbtest.ptf (1048578 bytes).
[3] Wed 13Jun01 14:25:17 - (000019) Sending file d:anonftp1mbtest.ptf
[3] Wed 13Jun01 14:26:29 - (000019) Sent file d:anonftp1mbtest.ptf
successfully (14.3 Kb/sec - 1048578 bytes)
[6] Wed 13Jun01 14:26:29 - (000019) 226-Maximum disk quota limited to 300000
Kbytes
[6] Wed 13Jun01 14:26:29 - (000019) Used disk quota 1024 Kbytes, available
298975 Kbytes
[6] Wed 13Jun01 14:26:29 - (000019) 226 Transfer complete.
[2] Wed 13Jun01 14:26:29 - (000019) TYPE A
[6] Wed 13Jun01 14:26:29 - (000019) 200 Type set to A.
[2] Wed 13Jun01 14:26:30 - (000019) PORT 213,51,52,27,9,50
[6] Wed 13Jun01 14:26:30 - (000019) 200 PORT Command successful.
[2] Wed 13Jun01 14:26:30 - (000019) LIST -la
[6] Wed 13Jun01 14:26:30 - (000019) 150 Opening ASCII mode data connection for
/bin/ls.
[6] Wed 13Jun01 14:26:30 - (000019) 226-Maximum disk quota limited to 300000
Kbytes
[6] Wed 13Jun01 14:26:30 - (000019) Used disk quota 1024 Kbytes, available
298975 Kbytes
[6] Wed 13Jun01 14:26:30 - (000019) 226 Transfer complete.
[2] Wed 13Jun01 14:26:30 - (000019) DELE /1mbtest.ptf
[6] Wed 13Jun01 14:26:30 - (000019) 250 DELE command successful.
And finally delete the test file. Till now the following
statistics are gathered from my site:
Upload/Download is abled, my speed, deletable files (i had changed the
configuration to allow deletion of files by the anonymous user).
[2] Wed 13Jun01 14:26:30 - (000019) TYPE A
[6] Wed 13Jun01 14:26:30 - (000019) 200 Type set to A.
[2] Wed 13Jun01 14:26:30 - (000019) PORT 213,51,52,27,9,51
[6] Wed 13Jun01 14:26:30 - (000019) 200 PORT Command successful.
[2] Wed 13Jun01 14:26:31 - (000019) STOR /space.asp
[6] Wed 13Jun01 14:26:31 - (000019) 150 Opening ASCII mode data connection for
space.asp.
[4] Wed 13Jun01 14:26:31 - (000019) Receiving file d:anonftpspace.asp
[4] Wed 13Jun01 14:26:31 - (000019) Received file d:anonftpspace.asp
successfully (4.91 Kb/sec - 2648 bytes)
[6] Wed 13Jun01 14:26:31 - (000019) 226-Maximum disk quota limited to 300000
Kbytes
[6] Wed 13Jun01 14:26:31 - (000019) Used disk quota 2 Kbytes, available 299997
Kbytes
[6] Wed 13Jun01 14:26:31 - (000019) 226 Transfer complete.
This file is included with Grim's Ping companion and will give
out information about the ftp server, as described in the tools section. At the
same moment the following log is found from my HTTP server(IIS/5.0) :
2001-06-13 12:26:38 213.51.52.27 - x.x.x.x 80 GET /space.asp
|-|0|404_Object_Not_Found 404 -
Of course, if I had used the same directory for both http and
ftp, the asp script would have executed and given out further information about
my machine to the scanner. Also note the timing.
[2] Wed 13Jun01 14:26:38 - (000019) DELE /space.asp
[6] Wed 13Jun01 14:26:38 - (000019) 250 DELE command successful.
[5] Wed 13Jun01 14:26:38 - (000019) Closing connection for user ANONYMOUS
(00:02:49 connected)

Once the ASP files is not found on the HTTP server, the scanner just deletes the
file, and leaves little or no trace of his scan and moves on to the next target.
Problems caused by FTP Pub scanning
Till now this is what I got. Maybe if I wait longer I'd find
myself full of Warez and my IP address on some Warez site, IRC channel or
bulletin board, with most of my bandwidth being abused, not that nice. Apart
from this Corporate sites could be targeted by the software makers and accused
as distributing illegal software (Warez) and similar legal issues. Besides this,
there is also the obvious risk of disk space usage, which is limited.
Securing your Server
Securing a server which is vulnerable to this kind of attack
it pretty much straight forward for normal configurations. It should be clear
that what pub-scanners are exploiting is mis-configuration of ftp (and http)
servers. If there is no reason to enable anonymous users to upload files, just
disable this functionality. If you need certain users to upload files, you
should consider creating a user and password for this purpose, and giving them
write access (maybe chroot the user). Another configuration option would be to
create a folder for anonymous connections, which allows uploads but not
downloads. his will make downloaders (and probably pub-scanners) jump to the
next target and simply dismiss your ftp site. HTTP and FTP servers should also
have use directories. Having an anonymous ftp user upload a CGI script to the
http server means that depending on the configuration and web server (we're
talking about miss-configured servers here ... ) the user will have access to
execute possibly malicious code on the target host. This attack was performed on
Apache.org back in May 2000, and has probably been around since the use of CGI
scripts in HTTP.
Conclusion
Pub scanning seems to have become a favourite and risky
pastime for many Warez dealers. This occurred maybe due to the fact that Point
and Click Windows Scanners are easily available from professional looking sites.
The fact that in just a week two different scanners hit my testing site, seems
to indicate an increase in such scanning, and should not be under estimated by
the unwary administrator. With the increase in such activity, new tools and
features in existing tools will continue to improve the art of pub scanning.

1.) A Guide To A New Generation of Phreaking - Part 1 - decimalz
2.) MBSA: Microsoft Baseline Security Analyzer - adrenaline
3.) Scanning Networks - Krishna
4.) Mutual Trust Networks: Rise of a Society - Ruchir Jha
5.) Review of Yellow Dog Linux 3.0 - L33tdawg
6.) Camouflaging Nmap Scans - Whistler
7.) When your server ends up a Warez site - Obscure