Re: CodeRed-like FTP worm?

From: Neil McKellar (mckellarat_private)
Date: Thu Dec 13 2001 - 10:51:22 PST

Next message: Jonathan Bloomquist: "Re: Voluminous SSHd scanning; possible worm activity?"

Previous message: Jagh, Kevin (TGA/MLOL): "SOPHOS REPLY: RE: Gokar Worm?"
In reply to: Ascent - Compton, Richard: "CodeRed-like FTP worm?"
Next in thread: H C: "Re: CodeRed-like FTP worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Ascent - Compton, Richard" wrote:
> 
> Hello,
> I keep seeing attempted connections to ftp by various boxes in the same
> subnets.  Could this be some sort of scan for vulnerable ftp servers?
> Something like a CodeRed ftp worm?
> 
> Thanks for any info in advance,
> 
> Rich
> 
> Tue Dec 11 11:08:04    FTP connection from 80.11.101.8
> Tue Dec 11 12:38:26    FTP connection from 210.65.171.32
> Tue Dec 11 14:06:27    FTP connection from 193.253.37.13
> Tue Dec 11 15:04:45    FTP connection from 193.253.37.13
> Tue Dec 11 18:16:47    FTP connection from 217.136.112.196
> Wed Dec 12 04:14:53    FTP connection from 202.224.159.46
> Wed Dec 12 11:41:52    FTP connection from 141.24.92.89
> Wed Dec 12 12:15:11    FTP connection from 80.11.85.121
> Wed Dec 12 13:38:03    FTP connection from 213.191.132.98
> Wed Dec 12 14:08:30    FTP connection from 210.58.12.142
> Wed Dec 12 14:41:33    FTP connection from 217.129.33.236

I'm seeing some addresses in common with one of the FTP servers here,
too:

193.251.4.218, 193.252.178.248, 80.11.87.134, 217.128.164.17 which are
under the same domain as the 193. and 80. addresses you listed
(wanadoo.fr).  We've been seeing attempted FTP connections from this
domain for months.  I've also seen attempted connects from aol.com (no
surprise) and dip.t-dialin.net (eg. 217.1.98.129 and 217.228.230.250).
Those three are the most frequent with several attempts every week.
The one thing they all have in common is that it's consistently dialup
connections knocking at the door.

I wouldn't call that a worm.  More like idle curiosity.  Still, this
server isn't broadly advertised or anything, so I'm thinking it must
have come up in a scan at some point (but there's no IDS here and I
don't have access to the firewall so who can say).  The FTP process
wasn't always TCP wrapped either.
--
Neil McKellar (mckellarat_private)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jonathan Bloomquist: "Re: Voluminous SSHd scanning; possible worm activity?"
Previous message: Jagh, Kevin (TGA/MLOL): "SOPHOS REPLY: RE: Gokar Worm?"
In reply to: Ascent - Compton, Richard: "CodeRed-like FTP worm?"
Next in thread: H C: "Re: CodeRed-like FTP worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 13 2001 - 11:00:11 PST