I think it's the new script kids trying to catch up to the rest of the world. I've seen 2 compromised machines in the last few days via wu-ftp. And once the attackers compromised the machine they installed tools which scanned for more vulnerable ftp servers... no rootkit, and barely tried to hide their tracks. But overrall on my personal server I have seen a sharp decrease in ftp traffic as opposed to several months ago. It is sometimes amazing how long a server can go and still have a vulnerable services. But in other news I have seen a sharp increase in overall probing/scanning activity from 80.0.0.0/8. ----- Original Message ----- From: "leon" <leonat_private> To: <incidentsat_private> Sent: Wednesday, March 13, 2002 1:59 PM Subject: FTP back in Vogue? > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi everyone, > > Just curious if there is something going on with ftp. Seem to be > getting scanned quite a bit for it (all different networks). Not > sure if the ips are static or dynamic. This is a machine running > zonelarm on it. Haven't seen this many probes in a short time since > the wu-ftpd vuln. > > The firewall has blocked Internet access to your computer (FTP) from > 24.190.34.140 (FTP) [TCP Flags: S]. > > Time: 3/13/2002 11:50:02 AM > > The firewall has blocked Internet access to your computer (FTP) from > 195.55.99.89 (TCP Port 3178) [TCP Flags: S]. > > Time: 3/13/2002 1:31:58 PM > > The firewall has blocked Internet access to your computer (FTP) from > 80.133.117.45 (TCP Port 3650) [TCP Flags: S]. > > Time: 3/13/2002 2:55:36 PM > > The firewall has blocked Internet access to your computer (FTP) from > 63.133.117.45 (TCP Port 2792) [TCP Flags: S]. > > Time: 3/13/2002 2:58:42 PM > > Regards, > > Leon > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> > > iQA/AwUBPI+vodqAgf0xoaEuEQIFuwCbBmcw88WnPPeVGjcRnqTpbD1XazQAoIg+ > D5ZDMeQaP3bDLkFhc34yb1Cs > =POEh > -----END PGP SIGNATURE----- > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Mar 13 2002 - 17:28:58 PST