With this particular incident... send an email to abuseat_private with this log and they will kick the person... TMNS is Telstra Managed Network Services, and it looks like that particular link is a Cable connection. ...Skeeve > -----Original Message----- > From: Gregory McCann [mailto:cambriaat_private] > Sent: Tuesday, August 21, 2001 6:27 AM > To: incidentsat_private > Cc: Mark Villanova; emoat_private > Subject: RE: annoying ftp probes > > > I've been seeing more aggressive attempts than that here. > Here is a recent example. They attempt to CWD to a large > number of common ftp directory names. If successful, they > try to create a directory there. This user repeated the > exact same scan five minutes later. (To save space I have > only included the first one.) > > "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe > R-O","nobody","[10/Aug/2001:19:49:24 -0700]","USER > anonymous","331","-","-","-" > "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe > R-O","ftp","[10/Aug/2001:19:49:25 -0700]","PASS > guestat_private","230","-","-","-" > "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe > R-O","ftp","[10/Aug/2001:19:49:25 -0700]","CWD > /","250","-","-","-" > "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe > R-O","ftp","[10/Aug/2001:19:49:26 -0700]","MKD > 010811125809p","550","-","-","-" > "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe > R-O","ftp","[10/Aug/2001:19:49:26 -0700]","CWD > /public/","550","-","-","-" > "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe > R-O","ftp","[10/Aug/2001:19:49:27 -0700]","CWD > /pub/incoming/","550","-","-","-" > "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe > R-O","ftp","[10/Aug/2001:19:49:27 -0700]","CWD > /incoming/","550","-","-","-" > "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe > R-O","ftp","[10/Aug/2001:19:49:28 -0700]","CWD > /_vti_pvt/","550","-","-","-" > "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe > R-O","ftp","[10/Aug/2001:19:49:28 -0700]","CWD > /pub/","550","-","-","-" > "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe > R-O","ftp","[10/Aug/2001:19:49:29 -0700]","CWD > /upload/","250","-","-","-" > "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe > R-O","ftp","[10/Aug/2001:19:49:29 -0700]","MKD > 010811125813p","550","-","-","-" > "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe > R-O","ftp","[10/Aug/2001:19:49:30 -0700]","CWD > /~tmp/","550","-","-","-" > "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe > R-O","ftp","[10/Aug/2001:19:49:30 -0700]","CWD > /~temp/","550","-","-","-" > "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe > R-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD > /tmp/","550","-","-","-" > "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe > R-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD > /temp/","550","-","-","-" > "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe > R-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD > /_vti_cfg/","550","-","-","-" > "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe > R-O","ftp","[10/Aug/2001:19:49:32 -0700]","CWD > /_vti_txt/","550","-","-","-" > > >-----Original Message----- > >From: Emil Popov [mailto:emoat_private] > >Sent: Monday, August 20, 2001 3:33 AM > >To: incidentsat_private > >Subject: annoying ftp probes > > > > > >Hi, > > > >I have been getting some annoying connections to my ftpd like: > > > >Aug 20 07:58:28 ds ftpd[7527]: connection from > >cc821361-d.vron1.nj.home.com Aug 20 07:58:29 ds ftpd[7527]: > ANONYMOUS > >FTP LOGIN FROM cc821361-d.vron1.nj.home.com, guestat_private > >Aug 20 07:58:30 ds ftpd[7527]: mkdir 010820012936p > >Aug 19 06:37:34 ds ftpd[20081]: connection from ip-90-202.evc.net > >Aug 19 06:37:35 ds ftpd[20081]: ANONYMOUS FTP LOGIN FROM > >ip-90-202.evc.net, guestat_private > >Aug 19 06:37:36 ds ftpd[20081]: mkdir 010819061100p > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer > service. For more information on this free incident handling, > management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 27 2001 - 13:13:35 PDT