Security Basics mailing list archives
Is this a scanner?
From: "Pez Mohr" <boredMDer74 () msn com>
Date: Wed, 11 Dec 2002 17:09:10 -0500
First post to list, so please bear with any mistakes I may make. Received a hit on my FTP server today, and I was wondering whether or not it was a scanner. Roughly three seconds passed between the username being given and the password entered, and I thought that would be quite a long time for an automated scanner, but I doubt that someone randomly chose my IP and decided to log in as this user. I am running this FTP server as a mirror to some of the stuff hosted on http://halo.bungie.org, and consequently I have a public dynDNS url that points to my IP, so I'm not the most hidden box online. Back to the question: Does the log show a new scanner at work, or is it merely a browser with these values set for anonymous logins? If it were the latter, I don't see why it would have an email address as both the username and password. I'm afraid that BulletProof FTP doesn't log any more than what is below, so these are all of the details I have as of current. (000059) 12/10/2002 7:25:40 PM - (not logged in) (81.49.70.160) > connected to ip : 192.168.1.2 (000059) 12/10/2002 7:25:40 PM - (not logged in) (81.49.70.160) > sending welcome message. (000059) 12/10/2002 7:25:40 PM - (not logged in) (81.49.70.160) > 220 All connection attempts logged/reported. Anyone attempting to log in will be reported to their ISP. Access illegal unless prior permission recieved from owner of FTP server. (000059) 12/10/2002 7:25:43 PM - (not logged in) (81.49.70.160) > USER anonymous () ftp adobe com (000059) 12/10/2002 7:25:43 PM - (not logged in) (81.49.70.160) > 331 Password required for anonymous () ftp adobe com. (000059) 12/10/2002 7:25:46 PM - (not logged in) (81.49.70.160) > PASS abc () 126 com (000059) 12/10/2002 7:25:46 PM - (not logged in) (81.49.70.160) > 530 Login or Password incorrect. (000059) 12/10/2002 7:25:47 PM - (not logged in) (81.49.70.160) > disconnected. Pez Mohr boredMDer74 () msn com Aspiring BOFH http://bofh.ntk.net/Bastard.html
Current thread:
- Is this a scanner? Pez Mohr (Dec 12)
- Re: Is this a scanner? Matti Haack (Dec 13)
- <Possible follow-ups>
- re: Is this a scanner? H C (Dec 13)