This is done by an automated scanning tool called grim's ping. Take a look at http://grimsping.cjb.net/ to learn more about it. The software is used not to find vulnerable ftp servers, but to find misconfigured ftp servers that can be used to trade warez on. I think many people are being scanned by this tool. Most scans I get that follow this pattern either come from wanadoo.fr or t-dialin.net/t-online.de. These imo are the two european ISPs that have a large number of cable/dsl users, but are least likely to act on complaints. Pieter-Bas > My ftp server has been getting probed to see if it accepts anonymous uploads > from ftp@.*wanadoo.fr. Specifically: > > 217.128.209.122 > 80.13.216.42 > 80.13.237.189 > 217.128.235.25 > > It appears to be a script checking: > > /images/: ... > /usr/incoming/: ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 04 2002 - 08:32:22 PDT