> -----Original Message----- > From: Moo [mailto:frasat_private] > Sent: 6. studeni 2002 22:44 > To: Owen McCusker; incidentsat_private > Subject: Re: anoat_private ftpd dip.t-dialin.net > > > On November 6, 2002 09:50 pm, Owen McCusker wrote: > well they could be doing speed tests on your site to see if > they want to use > it as PUB distro for warez. I think you are (partially :) right. This is probably some automated tool which scans available anonymous ftp servers and uploads a file to it. As far as I can see, they usually use 1000000 bytes file to do a speed test, at least that was the case on servers I manage. In this case I believe they are looking only for "open" anonymous ftp servers as (in this case) they transfer only small files which are not enough to test speed, and from dial-up/DSL lines. Speed testing is usually done to some other server (which they already found) which is on a fast line. I get loads of anonymous ftp connects on my ftp server, although anonymous login is forbidden. Logs are like this one: Nov 8 08:06:52 my_server proftpd[10693]: my_server (213-140-20-183.fastres.net[213.140.20.183]) - FTP session opened. Nov 8 08:06:52 my_server proftpd[10693]: my_server (213-140-20-183.fastres.net[213.140.20.183]) - no such user 'anonymous' Nov 8 08:06:52 my_server proftpd[10693]: my_server (213-140-20-183.fastres.net[213.140.20.183]) - FTP session closed. I'd recommend closing anonymous logins (unless you *really* need it) and using tcp wrappers on ftp server to deny connections. Best regards, Bojan Zdrnja ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Nov 09 2002 - 03:40:14 PST