I get a ton of these pretty regularly, and it doesn't appear targeted at "me" specifically. I have a number of systems logging to a central syslog daemon, and I will see FTP connection attempts on all of my systems virtually simultaneously. This tells me they're scanning netblocks for open FTP servers (likely parallelized, but still reasonably sequential). A decently configured IDS could detect this and block the offender from further accesses. I do occasionally have clients on IRC when this happens, but I am never able to correlate any scan with any user that's been on IRC at any time in the previous month. They're probably just plugging in huge netblocks and letting it run overnight. Classic script kiddie tool. David -----Original Message----- From: Mike Eheler [mailto:mehelerat_private] Sent: Monday, August 20, 2001 7:22 To: Jason Spence Cc: incidentsat_private Subject: Re: annoying ftp probes It wouldn't be tough to create something like that, anyways. I bet it's just part of some "war" IRC script, or something. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 13:15:59 PDT