I have gotten so many scans from t-dialin.net and wanadoo.fr for FTP and everything else under the sun that I have /dev/null'ed all their packets. I sent many messages to their abuse@ and to the upstream, gotten many polite replies about how they will take care of it just as soon as they have a chance!! I find a new /24 every now and again. Just block them out! I've attached part of my ipchains. Gary B At 12:15 PM 3/4/2002 +0000, quentynat_private wrote: >Has any one else notice a huge increase in ftp scanning over the last >few weeks ( esp the last 2) > >Normally I would expect to see 1 scan every few days, but in the last >few weeks it has been several each night > >for example (this is from a host with no externally offered services) > > >Mar 2 15:14:46 TCP: ftp connection attempt from >pD9E55ADF.dip.t-dialin.net >(217.229.90.223):1583 >Mar 2 16:42:48 TCP: ftp connection attempt from 213.82.69.34:1309 >Mar 2 16:42:51 TCP: ftp connection attempt from 213.82.69.34:1309 >Mar 2 16:42:57 TCP: ftp connection attempt from 213.82.69.34:1309 >Mar 2 16:43:09 TCP: ftp connection attempt from 213.82.69.34:1309 >Mar 2 17:00:54 TCP: ftp connection attempt from >D576EB25.kabel.telenet.be >(213.118.235.37):1479 >Mar 2 20:40:42 TCP: ftp connection attempt from 203.43.206.34:21 >Mar 2 22:15:53 TCP: ftp connection attempt from www.partcenter.com >(217.31.128.124):21 > > >is this warez kiddies looking for open share or script kiddies looking >for a vulnerable version of wuftp (or similar)? > >-- >##################### >Quentyn Taylor >Sysadmin - Fotango >##################### >`Naturally, a sysadmin's entire person is holy. We have the power to >kill daemons.' > Mike Sphar > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 08:46:15 PST