Hi, I have been getting some annoying connections to my ftpd like: Aug 20 07:58:28 ds ftpd[7527]: connection from cc821361-d.vron1.nj.home.com Aug 20 07:58:29 ds ftpd[7527]: ANONYMOUS FTP LOGIN FROM cc821361-d.vron1.nj.home.com, guestat_private Aug 20 07:58:30 ds ftpd[7527]: mkdir 010820012936p Aug 19 06:37:34 ds ftpd[20081]: connection from ip-90-202.evc.net Aug 19 06:37:35 ds ftpd[20081]: ANONYMOUS FTP LOGIN FROM ip-90-202.evc.net, guestat_private Aug 19 06:37:36 ds ftpd[20081]: mkdir 010819061100p they are comming from various ISP's at random time intervals. I seems that this is some scanner that searches for world-writable ftp sites, and since those requests have been comming from *almost* random hosts, i am only able to cumulatively add whole isp domains to my hosts.deny. I added a responce line i.e. an instant nmap to those guys, and up to now my nmap resulted in scanning either the firewall of the isp, or a windows machine ( win :), they may soon get an automated dos if they keep on :)) ). So i presume it's i win tool. Any Idea what the tool is? Any Idea of a better defence (not that my site is world-writable but anyway..) Thanks p.s. There is very famous WarezFTP site in Bulgaria, and i see them getting those same (in format) directories created, so it really seems like a scanner that just goes aroung mkdir'ing. p.s.s Sorry for mentioning the un-masked hostnames, but i believe they deserve that. Emil Popov Primasoft Ltd. emoat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 08:29:12 PDT