On Mon, Aug 20, 2001 at 10:33:03AM +0000, Emil Popov said: > Hi, > > I have been getting some annoying connections to my ftpd like: > > Aug 20 07:58:28 ds ftpd[7527]: connection from cc821361-d.vron1.nj.home.com > Aug 20 07:58:29 ds ftpd[7527]: ANONYMOUS FTP LOGIN FROM cc821361-d.vron1.nj.home.com, guestat_private > Aug 20 07:58:30 ds ftpd[7527]: mkdir 010820012936p > Aug 19 06:37:34 ds ftpd[20081]: connection from ip-90-202.evc.net > Aug 19 06:37:35 ds ftpd[20081]: ANONYMOUS FTP LOGIN FROM ip-90-202.evc.net, guestat_private > Aug 19 06:37:36 ds ftpd[20081]: mkdir 010819061100p I've been seeing the same thing, although with different anonymous passwords and directories being created. My honeypot is currently being fought over by a couple k1dd3s who just learned about rmdir and are trying to wipe each other's warez from the box. > they are comming from various ISP's at random time intervals. I > seems that this is some scanner that searches for world-writable ftp > sites, and since those requests have been comming from *almost* > random hosts, i am only able to cumulatively add whole isp domains > to my hosts.deny. I added a responce line i.e. an instant nmap to > those guys, and up to now my nmap resulted in scanning either the > firewall of the isp, or a windows machine ( win :), they may soon > get an automated dos if they keep on :)) ). > > So i presume it's i win tool. Yeah, I've noticed that they're all on windows boxes. > Any Idea what the tool is? > Any Idea of a better defence (not that my site is world-writable but anyway..) Dunno, but it's not showing up in the first few pages of a search for "anonymous ftp scanner" on Google. - Jason ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 12:07:36 PDT