RE: increase in ftp scanning

From: Benninghoff, John (John.Benninghoffat_private)
Date: Tue Mar 05 2002 - 07:44:58 PST

Next message: switched: "Increase in squid scanning..."

Previous message: H C: "Re: Rcon trojan"
Maybe in reply to: quentynat_private: "increase in ftp scanning"
Next in thread: Ryan Hill: "RE: increase in ftp scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I regularly see ftp scans from t-dialin.net (Germany's major ISP) and wanadoo.fr (France) ... They're almost always looking for open ftp sites, where they can set up a mp3/warez repository.

Usually they use a tool called Grim's Ping (http://grimsping.cjb.net/).

I generally ignore these scans, since t-dialin and wanadoo have a reputation of totally ignoring any & all abuse reports.

-----Original Message-----
From: quentynat_private [mailto:quentynat_private]
Sent: Monday, March 04, 2002 6:16 AM
To: incidentsat_private
Subject: increase in ftp scanning


Has any one else notice a huge increase in ftp scanning over the last
few weeks ( esp the last 2)

Normally I would expect to see 1 scan every few days, but in the last
few weeks it has been several each night

for example (this is from a host with no externally offered services)


Mar  2 15:14:46 TCP: ftp connection attempt from
pD9E55ADF.dip.t-dialin.net
(217.229.90.223):1583
Mar  2 16:42:48 TCP: ftp connection attempt from 213.82.69.34:1309
Mar  2 16:42:51 TCP: ftp connection attempt from 213.82.69.34:1309
Mar  2 16:42:57 TCP: ftp connection attempt from 213.82.69.34:1309
Mar  2 16:43:09 TCP: ftp connection attempt from 213.82.69.34:1309
Mar  2 17:00:54 TCP: ftp connection attempt from
D576EB25.kabel.telenet.be
(213.118.235.37):1479
Mar  2 20:40:42 TCP: ftp connection attempt from 203.43.206.34:21
Mar  2 22:15:53 TCP: ftp connection attempt from www.partcenter.com
(217.31.128.124):21


is this warez kiddies looking for open share or script kiddies looking
for a vulnerable version of wuftp (or similar)?

-- 
#####################
Quentyn Taylor
Sysadmin - Fotango
#####################
`Naturally, a sysadmin's entire person is holy. We have the power to
kill daemons.' 
   Mike Sphar

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: switched: "Increase in squid scanning..."
Previous message: H C: "Re: Rcon trojan"
Maybe in reply to: quentynat_private: "increase in ftp scanning"
Next in thread: Ryan Hill: "RE: increase in ftp scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 08:59:18 PST