Re: FTP back in Vogue?

From: switched (switched@q-east.net)
Date: Wed Mar 13 2002 - 12:49:00 PST

Next message: Thomas Akin: "Re: Port UDP 3049"

Previous message: Nathan W. Labadie: "Re: FTP back in Vogue?"
In reply to: leon: "FTP back in Vogue?"
Next in thread: John Rodley: "RE: FTP back in Vogue?"
Reply: John Rodley: "RE: FTP back in Vogue?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I think it's the new script kids trying to catch up to the rest of the
world.  I've seen 2 compromised machines in the last few days via wu-ftp.
And once the attackers compromised the machine they installed tools which
scanned for more vulnerable ftp servers... no rootkit, and barely tried to
hide their tracks.  But overrall on my personal server I have seen a sharp
decrease in ftp traffic as opposed to several months ago.  It is sometimes
amazing how long a server can go and still have a vulnerable services.  But
in other news I have seen a sharp increase in overall probing/scanning
activity from 80.0.0.0/8.

----- Original Message -----
From: "leon" <leonat_private>
To: <incidentsat_private>
Sent: Wednesday, March 13, 2002 1:59 PM
Subject: FTP back in Vogue?


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi everyone,
>
> Just curious if there is something going on with ftp.  Seem to be
> getting scanned quite a bit for it (all different networks).  Not
> sure if the ips are static or dynamic.  This is a machine running
> zonelarm on it.  Haven't seen this many probes in a short time since
> the wu-ftpd vuln.
>
> The firewall has blocked Internet access to your computer (FTP) from
> 24.190.34.140 (FTP) [TCP Flags: S].
>
> Time: 3/13/2002 11:50:02 AM
>
> The firewall has blocked Internet access to your computer (FTP) from
> 195.55.99.89 (TCP Port 3178) [TCP Flags: S].
>
> Time: 3/13/2002 1:31:58 PM
>
> The firewall has blocked Internet access to your computer (FTP) from
> 80.133.117.45 (TCP Port 3650) [TCP Flags: S].
>
> Time: 3/13/2002 2:55:36 PM
>
> The firewall has blocked Internet access to your computer (FTP) from
> 63.133.117.45 (TCP Port 2792) [TCP Flags: S].
>
> Time: 3/13/2002 2:58:42 PM
>
> Regards,
>
> Leon
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBPI+vodqAgf0xoaEuEQIFuwCbBmcw88WnPPeVGjcRnqTpbD1XazQAoIg+
> D5ZDMeQaP3bDLkFhc34yb1Cs
> =POEh
> -----END PGP SIGNATURE-----
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Thomas Akin: "Re: Port UDP 3049"
Previous message: Nathan W. Labadie: "Re: FTP back in Vogue?"
In reply to: leon: "FTP back in Vogue?"
Next in thread: John Rodley: "RE: FTP back in Vogue?"
Reply: John Rodley: "RE: FTP back in Vogue?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 13 2002 - 17:28:58 PST