Re: FTP connection attempts

[billp () ROCKETCASH COM (Bill Pennington)]

Just to be on the paranod side I would check your ftp server logs to see
if this person is trying to use the PASV overflow attack to open up
ports in your firewall. I have seen a real increase in probes for ftp
services. My first thought is that it is some warez kiddie looking for a
place to put his warez or someone trying to exploit the ftp pasv hole.

If you find out for sure I would love to know.

JF Prieur wrote:
> Hello,
>
> Being a relative newbie to the security scene, I have had this person trying
> to log in to our ftp server for a few hours now. Now I don't want to be
> overly paranoid but is this someone just trying to log in or are there any
> other sinister things I should be worrying about:
>
> Running Serv-U FTP 2.5d on NT 4/sp6a
>
> Excerpt from log file:
> [5] Thu 23Mar00 12:18:10 - (000043) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:18:12 - (000043) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:18:17 - (000043) Closing connection
> [5] Thu 23Mar00 12:18:19 - (000044) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:18:19 - (000044) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:18:29 - (000044) Closing connection
> [5] Thu 23Mar00 12:18:34 - (000045) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:18:34 - (000045) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:18:40 - (000045) Closing connection
> [5] Thu 23Mar00 12:18:45 - (000046) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:18:45 - (000046) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:18:52 - (000046) Closing connection
> [5] Thu 23Mar00 12:18:57 - (000047) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:18:57 - (000047) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:19:05 - (000047) Closing connection
> [5] Thu 23Mar00 12:19:07 - (000048) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:19:07 - (000048) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:19:13 - (000048) Closing connection
> [5] Thu 23Mar00 12:19:29 - (000049) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:19:29 - (000049) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:19:36 - (000049) Closing connection
> [5] Thu 23Mar00 12:19:41 - (000050) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:19:41 - (000050) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:19:52 - (000050) Closing connection
> [5] Thu 23Mar00 12:19:58 - (000051) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:19:58 - (000051) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:20:10 - (000051) Closing connection
> [5] Thu 23Mar00 12:20:16 - (000052) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:20:16 - (000052) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:20:31 - (000052) Closing connection
> [5] Thu 23Mar00 12:20:38 - (000053) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:20:38 - (000053) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:20:50 - (000053) Closing connection
> [5] Thu 23Mar00 12:20:56 - (000054) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:20:56 - (000054) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:21:04 - (000054) Closing connection
> [5] Thu 23Mar00 12:21:10 - (000055) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:21:10 - (000055) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:21:18 - (000055) Closing connection
> [5] Thu 23Mar00 12:21:20 - (000056) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:21:20 - (000056) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:21:33 - (000056) Closing connection
> [5] Thu 23Mar00 12:21:40 - (000057) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:21:40 - (000057) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:22:14 - (000058) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:22:14 - (000058) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:22:18 - (000057) Closing connection
> [5] Thu 23Mar00 12:22:25 - (000058) Closing connection
> [5] Thu 23Mar00 12:22:31 - (000059) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:22:31 - (000059) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:22:41 - (000059) Closing connection
> [5] Thu 23Mar00 12:22:44 - (000060) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:22:44 - (000060) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:22:53 - (000060) Closing connection
> [5] Thu 23Mar00 12:22:58 - (000061) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:22:58 - (000061) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:23:06 - (000061) Closing connection
> [5] Thu 23Mar00 12:23:09 - (000062) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:23:09 - (000062) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:23:18 - (000062) Closing connection
> [5] Thu 23Mar00 12:23:22 - (000063) Connected to 193.68.10.73 (Local address
> 10.x.x.x)
> [5] Thu 23Mar00 12:23:22 - (000063) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
> [5] Thu 23Mar00 12:23:28 - (000063) Closing connection
>
> and on and on. I've blacklisted 193.68.10.* and anyways, I don't allow
> anonymous connections. Should I be doing anything else? I fired off an email
> to digsys.bg
>
> Thanks
> JF Prieur, MCSE
> Benevolent Network Dictator
> e being communications inc.
>
> The year before I was born we walked on the moon,
> now 31 years later it is considered a modern feat of
> science to grow tomatos in low earth orbit.

--

Bill Pennington
Senior IT Manager
Rocketcash
billp () rocketcash com
http://www.rocketcash.com