I've been seeing more aggressive attempts than that here. Here is a recent example. They attempt to CWD to a large number of common ftp directory names. If successful, they try to create a directory there. This user repeated the exact same scan five minutes later. (To save space I have only included the first one.) "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","nobody","[10/Aug/2001:19:49:24 -0700]","USER anonymous","331","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:25 -0700]","PASS guestat_private","230","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:25 -0700]","CWD /","250","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:26 -0700]","MKD 010811125809p","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:26 -0700]","CWD /public/","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:27 -0700]","CWD /pub/incoming/","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:27 -0700]","CWD /incoming/","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:28 -0700]","CWD /_vti_pvt/","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:28 -0700]","CWD /pub/","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:29 -0700]","CWD /upload/","250","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:29 -0700]","MKD 010811125813p","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:30 -0700]","CWD /~tmp/","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:30 -0700]","CWD /~temp/","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD /tmp/","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD /temp/","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD /_vti_cfg/","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:32 -0700]","CWD /_vti_txt/","550","-","-","-" >-----Original Message----- >From: Emil Popov [mailto:emoat_private] >Sent: Monday, August 20, 2001 3:33 AM >To: incidentsat_private >Subject: annoying ftp probes > > >Hi, > >I have been getting some annoying connections to my ftpd like: > >Aug 20 07:58:28 ds ftpd[7527]: connection from >cc821361-d.vron1.nj.home.com >Aug 20 07:58:29 ds ftpd[7527]: ANONYMOUS FTP LOGIN FROM >cc821361-d.vron1.nj.home.com, guestat_private >Aug 20 07:58:30 ds ftpd[7527]: mkdir 010820012936p >Aug 19 06:37:34 ds ftpd[20081]: connection from ip-90-202.evc.net >Aug 19 06:37:35 ds ftpd[20081]: ANONYMOUS FTP LOGIN FROM >ip-90-202.evc.net, guestat_private >Aug 19 06:37:36 ds ftpd[20081]: mkdir 010819061100p ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 14:01:52 PDT