higher then normal anon FTP scanning

From: Silent Bob (phoenixat_private)
Date: Mon Oct 08 2001 - 11:24:16 PDT

  • Next message: John Sage: "Re: port 22 scans + 53 scans"

    I havent seen anything about this but in the past week Ive seen a lot
    more scripted ftp site scanning, much of it from boxes that have
    previously probed with nimda (malicious remote control?) sample log
    follows. for the record the anon ftp server here doesnt allow upload
    so this is just an annoyance.
    
    Oct  8 13:13:19 notwise ftpd[3125]: USER anonymous
    Oct  8 13:13:19 notwise ftpd[3125]: PASS Jgpuserat_private
    Oct  8 13:13:19 notwise ftpd[3125]: ANONYMOUS FTP LOGIN FROM
    AAnnecy-101-1-4-58.abo.wanadoo.fr [193.251.17.58], Jgpuserat_private
    Oct  8 13:13:20 notwise ftpd[3125]: CWD /pub/
    Oct  8 13:13:20 notwise ftpd[3125]: MKD 011008201323p
    Oct  8 13:13:20 notwise ftpd[3125]: CWD /public/
    Oct  8 13:13:21 notwise ftpd[3125]: CWD /pub/incoming/
    Oct  8 13:13:21 notwise ftpd[3125]: CWD /incoming/
    Oct  8 13:13:22 notwise ftpd[3125]: CWD /_vti_pvt/
    Oct  8 13:13:23 notwise ftpd[3125]: CWD /
    Oct  8 13:13:23 notwise ftpd[3125]: MKD 011008201326p
    Oct  8 13:13:24 notwise ftpd[3125]: CWD /upload/
    Oct  8 13:13:24 notwise ftpd[3125]: FTP session closed
    
    
    -- 
    Bob
    MCSE Microsoft Certified System Eliminator
    
    The best way to accelerate a windows box is at 9.8 meters per second square.
    
    All your tanks are belong to me.
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Oct 08 2001 - 14:38:11 PDT