Re: CodeRed-like FTP worm?

From: H C (keydet89at_private)
Date: Thu Dec 13 2001 - 12:42:37 PST

Next message: Nick FitzGerald: "Re: Gokar Worm?"

Previous message: Paul Gear: "Re: Voluminous SSHd scanning; possible worm activity?"
In reply to: Ascent - Compton, Richard: "CodeRed-like FTP worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rich,

What about the connections led you to think that this
was some kind of worm?  W/o a more detailed
explanation, it would seem that the logs show nothing
more than SYN packets...which doesn't really tell you
much. 

To be honest, there's nothing in the logs you've
included to indicate any kind of worm activity, let
alone Code Red-like activity.  Can you elaborate on
what it was that led you to this conclusion?

Thanks.

--- "Ascent - Compton, Richard"
<RCompton@ascent-corp.com> wrote:
> Hello,
> I keep seeing attempted connections to ftp by
> various boxes in the same
> subnets.  Could this be some sort of scan for
> vulnerable ftp servers?
> Something like a CodeRed ftp worm?
> 
> Thanks for any info in advance,
> 
> Rich
> 
> 
> Tue Dec 11 11:08:04    FTP connection from
> 80.11.101.8
> Tue Dec 11 12:38:26    FTP connection from
> 210.65.171.32
> Tue Dec 11 14:06:27    FTP connection from
> 193.253.37.13
> Tue Dec 11 15:04:45    FTP connection from
> 193.253.37.13
> Tue Dec 11 18:16:47    FTP connection from
> 217.136.112.196
> Wed Dec 12 04:14:53    FTP connection from
> 202.224.159.46
> Wed Dec 12 11:41:52    FTP connection from
> 141.24.92.89
> Wed Dec 12 12:15:11    FTP connection from
> 80.11.85.121
> Wed Dec 12 13:38:03    FTP connection from
> 213.191.132.98
> Wed Dec 12 14:08:30    FTP connection from
> 210.58.12.142
> Wed Dec 12 14:41:33    FTP connection from
> 217.129.33.236
> 
> 
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management 
> and tracking system please see:
> http://aris.securityfocus.com
> 


__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Nick FitzGerald: "Re: Gokar Worm?"
Previous message: Paul Gear: "Re: Voluminous SSHd scanning; possible worm activity?"
In reply to: Ascent - Compton, Richard: "CodeRed-like FTP worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 13 2001 - 13:41:06 PST