Re: CodeRed-like FTP worm?

From: Neil McKellar (mckellarat_private)
Date: Thu Dec 13 2001 - 10:51:22 PST

  • Next message: Jonathan Bloomquist: "Re: Voluminous SSHd scanning; possible worm activity?"

    "Ascent - Compton, Richard" wrote:
    > 
    > Hello,
    > I keep seeing attempted connections to ftp by various boxes in the same
    > subnets.  Could this be some sort of scan for vulnerable ftp servers?
    > Something like a CodeRed ftp worm?
    > 
    > Thanks for any info in advance,
    > 
    > Rich
    > 
    > Tue Dec 11 11:08:04    FTP connection from 80.11.101.8
    > Tue Dec 11 12:38:26    FTP connection from 210.65.171.32
    > Tue Dec 11 14:06:27    FTP connection from 193.253.37.13
    > Tue Dec 11 15:04:45    FTP connection from 193.253.37.13
    > Tue Dec 11 18:16:47    FTP connection from 217.136.112.196
    > Wed Dec 12 04:14:53    FTP connection from 202.224.159.46
    > Wed Dec 12 11:41:52    FTP connection from 141.24.92.89
    > Wed Dec 12 12:15:11    FTP connection from 80.11.85.121
    > Wed Dec 12 13:38:03    FTP connection from 213.191.132.98
    > Wed Dec 12 14:08:30    FTP connection from 210.58.12.142
    > Wed Dec 12 14:41:33    FTP connection from 217.129.33.236
    
    I'm seeing some addresses in common with one of the FTP servers here,
    too:
    
    193.251.4.218, 193.252.178.248, 80.11.87.134, 217.128.164.17 which are
    under the same domain as the 193. and 80. addresses you listed
    (wanadoo.fr).  We've been seeing attempted FTP connections from this
    domain for months.  I've also seen attempted connects from aol.com (no
    surprise) and dip.t-dialin.net (eg. 217.1.98.129 and 217.228.230.250).
    Those three are the most frequent with several attempts every week.
    The one thing they all have in common is that it's consistently dialup
    connections knocking at the door.
    
    I wouldn't call that a worm.  More like idle curiosity.  Still, this
    server isn't broadly advertised or anything, so I'm thinking it must
    have come up in a scan at some point (but there's no IDS here and I
    don't have access to the firewall so who can say).  The FTP process
    wasn't always TCP wrapped either.
    --
    Neil McKellar (mckellarat_private)
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Dec 13 2001 - 11:00:11 PST