Re: big increase in ftp scanning

[Michael Bush <mike () IEACCESS COM>]

202.107.222.172 <- Anonymous FTP: c-class scan (Oct 30 20:05:57 CST)
pc241-gui4.cable.ntl.com <-  " (Oct 19 19:54:30 CST)
p364.as1.cra.dublin.eircom.net <- " (Oct 14 17:27:12 CST)

Well well, 3 people scanned by the same host.

Maybe we should keep a database of 'active scanners' and leave this list to
new scan 'types', possible new exploits and compromises. Just an idea. I'd
don't believe an increase in FTP scans in a sign of anything. Show me
something other failed anonymous FTP logins and I'll be interested. although
I do find it somewhat useful, I'd rather not see this in my mail box.

Mike Bush

----- Original Message -----
From: "Greg Owen" <gowen () SOFTLOCK COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Monday, October 30, 2000 12:36 PM
Subject: Re: big increase in ftp scanning


> > i've seen a ton of ftp scans in the last week.
>
> I had three this weekend, one source in common with yours.
>
> (212.83.90.123) cgmd90123.chello.nl
> (24.28.122.195) cs28122-195.houston.rr.com
> (202.107.222.172) (no PTR record)
>
> All appear to simply be traversing the tree and looking for writable
> directories, rather than probing for compromise.
>
> This server has been running for just over a month and has had no
> probes before this weekend.  Must be that time of the moon.
>
> --
> gowen -- Greg Owen -- gowen () SoftLock com