Re: [OT?] Anybody Recognize These Uploads?

["Eric N. Valor" <ericv () cruzio com>]

Well, I can't say what the data might be.  But dip.t-dialin.net is a 
constant source of anon FTP scans.  The admins claim to care, but 
don't.  Just delete the data and filter that netblock.

At 12:00 PM 12/24/2002 -0500, you wrote:

> Hi All,
>
> Maybe kind of off-topic, maybe not.
>
> My FTP server at home allows sand-boxed FTP uploads [1].  Occasionally
> I see things in there with all-numeric filenames.  They seem to be some
> kind of unidentified [2] data.  They're all the same size.  Here's
> what's there currently:
>
> $ ls -l [0-9]*
> -rw-rw-r--   1 ftp      ftp       104154 Dec 20 18:21 389.204
> -rw-rw-r--   1 ftp      ftp       104154 Dec 21 09:27 449.833
> -rw-rw-r--   1 ftp      ftp       104154 Dec 24 08:15 57.605
> -rw-rw-r--   1 ftp      ftp       104154 Nov 29 13:30 689.279
> -rw-rw-r--   1 ftp      ftp       104154 Dec 23 12:31 881.787
>
> With one exception, these all came from dip.t-dialin.net space.  The
> other came from gte.net space.  All users anon logged in as
> "ano () ano com."
>
> I long ago disallowed FTP access by wanadoo.fr users due to wide-spread
> FTP abuse from that space and poor abuse handling by wanadoo.fr.  I'm
> wondering if this isn't the same kind of thing?
>
> [1] FTP "incoming" directory is write-only.  Users can't even get a
>     directory listing and file over-writes are prohibited.
> [2] Unidentified by "file mumble"
>
> Thanks,
> Jim
> --
> Jim Seymour                  | PGP Public Key available at:
> jseymour () LinxNet com         | http://www.uk.pgp.net/pgpnet/pks-commands.html
> http://jimsun.LinxNet.com    |

--
Eric N. Valor
ericv () cruzio com
PGP Key 2048/1024 227B04CB
Key Fingerprint = 766C CA15 0FFF E54B 2FEE  C7D7 0F87 3AFB 227B 04CB

: This Space Intentionally Left Blank :

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards