Security Incidents mailing list archives
Wide Spread TCP 21 -> 21 (SF) Sweep
From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Sat, 4 Nov 2000 13:09:06 -0600
I am noticing what must be a HUGE FTP scan going on, as two completely unrelated networks saw the same thing about an 10 hours apart. X = wireweb network Y = jump.net network 2000-11-03 14:42:04 203.59.72.172:21 > 216.3.228.XA:21 [3] (ttl 15 len 40) 2000-11-04 00:11:58 203.59.72.172:21 > 216.30.16.YA:21 [3] (ttl 26 len 40) 2000-11-04 00:11:58 203.59.72.172:21 > 216.30.16.YB:21 [3] (ttl 26 len 40) 2000-11-04 00:11:58 203.59.72.172:21 > 216.30.16.YC:21 [3] (ttl 26 len 40) 2000-11-04 00:11:58 203.59.72.172:21 > 216.30.16.YD:21 [3] (ttl 26 len 40) 2000-11-04 00:11:59 203.59.72.172:21 > 216.30.16.YE:21 [3] (ttl 26 len 40) 2000-11-04 00:11:59 203.59.72.172:21 > 216.30.16.YF:21 [3] (ttl 26 len 40) 2000-11-04 00:11:59 203.59.72.172:21 > 216.30.16.YG:21 [3] (ttl 26 len 40) 2000-11-04 00:13:50 203.59.72.172:21 > 216.30.38.YH:21 [3] (ttl 26 len 40) 2000-11-04 00:13:50 203.59.72.172:21 > 216.30.38.YI:21 [3] (ttl 26 len 40) 2000-11-04 00:14:05 203.59.72.172:21 > 216.30.41.YJ:21 [3] (ttl 26 len 40) 2000-11-04 00:14:05 203.59.72.172:21 > 216.30.41.YK:21 [3] (ttl 26 len 40) Since it appears to be a sequential scan, I did the math to determine exactly how many hosts were being scanned per second, and can guestimate when this kid will scan your network (if its in the the 216.x.x.x block). If you see this scan and feel like comparing notes, drop me a line. All times are in CST. Hosts-Per-Second: 45-50 45/hosts/sec from net X -> Y inclusive 50/hosts/sec from first Y to last Y The address reverse resolves to: reggae-05-172.nv.iinet.net.au This host appears to be a linux machine running a vulnerable version of wu-ftpd. It is unlikely that this is anything but an 0wned machine, because the kiddie should have enough sense to patch his own box for the vuln. her/she is scanning for. -HD http://www.digitaldefense.net (work) http://www.digitaloffense.net (play)
Current thread:
- Wide Spread TCP 21 -> 21 (SF) Sweep H D Moore (Nov 06)
- Those sport==dport, SF scans Stephen P. Berry (Nov 08)