I've received the following sequence of probes from several different IP's in the last few hours. I haven't seen this series of probes before. All probes are exactly 2 hours and 55 minutes apart, to the minute. Initially the attacker pings my IP, which this box is set to ignore. Following the ping, scans probe ports 53, 22, and 123. The attackers have ports 21, 22, 23 and 5001 open. An ftp session to port 21 sends the following banner: Connected to xxx.xxx.xxx.xxx 220 ArrowPoint (5.3.1) FTP User (xxx.xxx.xxx.xxx:(none)) Arrowpoint is Cisco: further research on my part couldn't find any history of an automated attack/vulnerability along these lines, and I didn't locate any information regarding this series of probes. Thoughts, anyone? Thanks, Mike Vasquez ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 15:36:55 PDT