RE: annoying ftp probes

From: Skeeve Stevens (skeeveat_private)
Date: Sun Aug 26 2001 - 03:37:31 PDT

Next message: Wolf Knox Seandor La-Vey: "icqsrp.exe"

Previous message: Dean Cunningham: "Teddi Trojan - New?"
In reply to: Gregory McCann: "RE: annoying ftp probes"
Next in thread: NESTING, DAVID M (SBCSI): "RE: annoying ftp probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

With this particular incident... send an email to abuseat_private with
this log and they will kick the person... TMNS is Telstra Managed
Network Services, and it looks like that particular link is a Cable
connection.

...Skeeve

> -----Original Message-----
> From: Gregory McCann [mailto:cambriaat_private] 
> Sent: Tuesday, August 21, 2001 6:27 AM
> To: incidentsat_private
> Cc: Mark Villanova; emoat_private
> Subject: RE: annoying ftp probes
> 
> 
> I've been seeing more aggressive attempts than that here.  
> Here is a recent example.  They attempt to CWD to a large 
> number of common ftp directory names.  If successful, they 
> try to create a directory there.  This user repeated the 
> exact same scan five minutes later.  (To save space I have 
> only included the first one.)
> 
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","nobody","[10/Aug/2001:19:49:24 -0700]","USER 
> anonymous","331","-","-","-" 
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:25 -0700]","PASS 
> guestat_private","230","-","-","-" 
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:25 -0700]","CWD 
> /","250","-","-","-" 
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:26 -0700]","MKD 
> 010811125809p","550","-","-","-" 
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:26 -0700]","CWD 
> /public/","550","-","-","-" 
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:27 -0700]","CWD 
> /pub/incoming/","550","-","-","-" 
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:27 -0700]","CWD 
> /incoming/","550","-","-","-" 
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:28 -0700]","CWD 
> /_vti_pvt/","550","-","-","-" 
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:28 -0700]","CWD 
> /pub/","550","-","-","-" 
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:29 -0700]","CWD 
> /upload/","250","-","-","-" 
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:29 -0700]","MKD 
> 010811125813p","550","-","-","-" 
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:30 -0700]","CWD 
> /~tmp/","550","-","-","-" 
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:30 -0700]","CWD 
> /~temp/","550","-","-","-" 
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD 
> /tmp/","550","-","-","-" 
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD 
> /temp/","550","-","-","-" 
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD 
> /_vti_cfg/","550","-","-","-" 
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:32 -0700]","CWD 
> /_vti_txt/","550","-","-","-"
> 
> >-----Original Message-----
> >From: Emil Popov [mailto:emoat_private]
> >Sent: Monday, August 20, 2001 3:33 AM
> >To: incidentsat_private
> >Subject: annoying ftp probes
> >
> >
> >Hi,
> >
> >I have been getting some annoying connections to my ftpd like:
> >
> >Aug 20 07:58:28 ds ftpd[7527]: connection from 
> >cc821361-d.vron1.nj.home.com Aug 20 07:58:29 ds ftpd[7527]: 
> ANONYMOUS 
> >FTP LOGIN FROM cc821361-d.vron1.nj.home.com, guestat_private
> >Aug 20 07:58:30 ds ftpd[7527]: mkdir 010820012936p
> >Aug 19 06:37:34 ds ftpd[20081]: connection from ip-90-202.evc.net
> >Aug 19 06:37:35 ds ftpd[20081]: ANONYMOUS FTP LOGIN FROM
> >ip-90-202.evc.net, guestat_private
> >Aug 19 06:37:36 ds ftpd[20081]: mkdir 010819061100p
> 
> 
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer 
> service. For more information on this free incident handling, 
> management 
> and tracking system please see: http://aris.securityfocus.com
> 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Wolf Knox Seandor La-Vey: "icqsrp.exe"
Previous message: Dean Cunningham: "Teddi Trojan - New?"
In reply to: Gregory McCann: "RE: annoying ftp probes"
Next in thread: NESTING, DAVID M (SBCSI): "RE: annoying ftp probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 27 2001 - 13:13:35 PDT