RE: annoying ftp probes

From: Gregory McCann (cambriaat_private)
Date: Mon Aug 20 2001 - 13:26:48 PDT

Next message: Hugo van der Kooij: "Re: smtp probes"

Previous message: Joris De Donder: "Re: annoying ftp probes"
In reply to: Mark Villanova: "RE: annoying ftp probes"
Next in thread: Skeeve Stevens: "RE: annoying ftp probes"
Next in thread: NESTING, DAVID M (SBCSI): "RE: annoying ftp probes"
Reply: Skeeve Stevens: "RE: annoying ftp probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've been seeing more aggressive attempts than that here.  Here is a recent example.  They attempt to CWD to a large number of common ftp directory names.  If successful, they try to create a directory there.  This user repeated the exact same scan five minutes later.  (To save space I have only included the first one.)

"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","nobody","[10/Aug/2001:19:49:24 -0700]","USER anonymous","331","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:25 -0700]","PASS guestat_private","230","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:25 -0700]","CWD /","250","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:26 -0700]","MKD 010811125809p","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:26 -0700]","CWD /public/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:27 -0700]","CWD /pub/incoming/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:27 -0700]","CWD /incoming/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:28 -0700]","CWD /_vti_pvt/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:28 -0700]","CWD /pub/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:29 -0700]","CWD /upload/","250","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:29 -0700]","MKD 010811125813p","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:30 -0700]","CWD /~tmp/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:30 -0700]","CWD /~temp/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD /tmp/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD /temp/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD /_vti_cfg/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:32 -0700]","CWD /_vti_txt/","550","-","-","-"

>-----Original Message-----
>From: Emil Popov [mailto:emoat_private]
>Sent: Monday, August 20, 2001 3:33 AM
>To: incidentsat_private
>Subject: annoying ftp probes
>
>
>Hi,
>
>I have been getting some annoying connections to my ftpd like:
>
>Aug 20 07:58:28 ds ftpd[7527]: connection from
>cc821361-d.vron1.nj.home.com
>Aug 20 07:58:29 ds ftpd[7527]: ANONYMOUS FTP LOGIN FROM
>cc821361-d.vron1.nj.home.com, guestat_private
>Aug 20 07:58:30 ds ftpd[7527]: mkdir 010820012936p
>Aug 19 06:37:34 ds ftpd[20081]: connection from ip-90-202.evc.net
>Aug 19 06:37:35 ds ftpd[20081]: ANONYMOUS FTP LOGIN FROM
>ip-90-202.evc.net, guestat_private
>Aug 19 06:37:36 ds ftpd[20081]: mkdir 010819061100p


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Hugo van der Kooij: "Re: smtp probes"
Previous message: Joris De Donder: "Re: annoying ftp probes"
In reply to: Mark Villanova: "RE: annoying ftp probes"
Next in thread: Skeeve Stevens: "RE: annoying ftp probes"
Next in thread: NESTING, DAVID M (SBCSI): "RE: annoying ftp probes"
Reply: Skeeve Stevens: "RE: annoying ftp probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 14:01:52 PDT