WAREZ uploaders and downloaders

WAREZ uploaders and downloaders

Post by Kelly Ha » Fri, 14 Jul 1995 04:00:00


    David> We very briefly accidentally left an ftp directory world
    David> writable, and instantly ended up with a ton of `WAREZ'.
    David> I've summarized the sites which uploaded and downloaded
    David> software below.  Should I assume that the site
    David> administrators either know about this or don't care, or is
    David> it worth sending them E-mail?

Something similar happened to my machines about 6 months ago.  But I
didn't catch on for a week so we had a whole bunch more traffic than
you did.

First, closed down the FTP directory the wimps were using.  Then I
contacted CERT to hear what they had to say about the incident.
Overall, CERT was quite friendly but mostly useless.  They did assign
me an incident number, which turned out to be somewhat useful.

I combed the FTP logs and separated out each login session.  (BTW, has
anyone written any scripts to make that easier?  My perl skills aren't
stellar, and I'm sure this would be a useful utility.)  Then I
separated the sessions into uploaders and downloaders.  There were way
too many downloaders for me to really do anything about, so I
concentrated on the uploaders.

I sorted the uploaders by site, and looked up each site's contact
information via DNS entries and Internic.  Then I emailed the site
administrators and included the relevant log file excerpts.  You'd be
amazed at how many uploaders actually included their real email
address as their FTP password.  I also included some excerpts from the
CERT response.

The net response was that about half of the uploaders lost their
accounts.  One was booted out of school (this wasn't the first time
the school got complaints of this nature).  The remaining half were
evenly split between a) it was my own fault (granted) and b) no
response.

All in all, I've learned to keep much tighter control over the FTP
site here.  Also, I learned that these WAREZ folks aren't too clever.
Now I grep the ftp log daily looking for STOR commands - not too
clever, but an effective tripwire.  Whether or not you care to
followup your incident depends on how vindictive you feel or whether
you really care.  This kind of followup can be rather time consuming.

Kelly

--

http://lal.cs.byu.edu/people/hall.html
To understand recursion,
  you must first understand recursion

 
 
 

WAREZ uploaders and downloaders

Post by David Mazier » Sat, 15 Jul 1995 04:00:00




>I combed the FTP logs and separated out each login session.  (BTW, has
>anyone written any scripts to make that easier?  My perl skills aren't
>stellar, and I'm sure this would be a useful utility.)  Then I
>separated the sessions into uploaders and downloaders.  There were way
>too many downloaders for me to really do anything about, so I
>concentrated on the uploaders.

Well, here's the script I used (wrzc for warezcount).  It looks
through the wuftpd xferlog file which in the last field either
includes an RFC931 lookup or a "*" if no ident daemon was running.

I finally decided to send the list of users to the DNS SOA contact
addresses, as well as postmaster.  Thanks to everyone who responded,

  I saw your post over in security and out of curiosity, checked out your
  site. What's the big deal? Is it that you carry warez on your site, but
  don't want to share? I mean, I saw the directory-and I *was* locked out of
  it. Is it what it appears to be? If so, why do you advertise it? I'm really
  just curious. It all seems so strange, prima facie.

??!!

David

--

#!/usr/local/bin/perl

while (<>) {
    split;
    $user = $_[$#_];
    if ($user eq "*") {
        $user = "";
    } else {

    }
    if (/ i /) {
        $in{$user . $_[6]}++;
    } else {
        $out{$user . $_[6]}++;
    }

Quote:}

sub byin {
    $in{$b} <=> $in{$a};
Quote:}

print "Uploads:\n";
foreach (sort (byin keys %in)) {
    print "$_: $in{$_}\n";

Quote:}

sub byout {
    $out{$b} <=> $out{$a};
Quote:}

print "\nDownloads:\n";
foreach (sort (byout keys %out)) {
    print "$_: $out{$_}\n";

Quote:}

---

The `WAREZ' directory was the only directory to have three consecutive
dots in it, so I ran:

% fgrep ... xferlog | ./wrzc
Uploads:



pc-g244-8.idt.unit.no: 11





split.mets.emr.ca: 1

Downloads:

zeus.towson.edu: 12





%

 
 
 

1. WAREZ uploader nicknames (by rfc931)

I recently posted an article about commercial software being
uploaded to our anonymous ftp site.  I forgot to mention that
the people doing the uploading sometimes appended a kind of
nickname to the files they uploaded.  Here, for the record,
are the nicknames people seemed to be using.

Perhaps if you have had a similar problem, this can help you
track the people down if you find similar nicknames.

David





pc-g244-8.idt.unit.no: 11               "Buuud"



split.mets.emr.ca: 1                    "->_Variable"


2. Maelstrom problem

3. Matrox Mystique ands X.

4. Axil-320 sparc & Data Access Exception?

5. Can proftpd allow only uploaders to remove files?

6. global access configuration with Apache 0.6.5

7. Attention developers and uploaders!

8. RPM 4.0.2

9. Font Downloader

10. CompuServe mail downloader

11. A good binary posting downloader

12. A Usefull tool for downloaders

13. Digicom Connection 14.4+ Linux downloader 1.02