Security Incidents mailing list archives
annoying ftp probes
From: Emil Popov <emo () ds primasoft bg>
Date: Mon, 20 Aug 2001 10:33:03 +0000
Hi, I have been getting some annoying connections to my ftpd like: Aug 20 07:58:28 ds ftpd[7527]: connection from cc821361-d.vron1.nj.home.com Aug 20 07:58:29 ds ftpd[7527]: ANONYMOUS FTP LOGIN FROM cc821361-d.vron1.nj.home.com, guest () here com Aug 20 07:58:30 ds ftpd[7527]: mkdir 010820012936p Aug 19 06:37:34 ds ftpd[20081]: connection from ip-90-202.evc.net Aug 19 06:37:35 ds ftpd[20081]: ANONYMOUS FTP LOGIN FROM ip-90-202.evc.net, guest () here com Aug 19 06:37:36 ds ftpd[20081]: mkdir 010819061100p they are comming from various ISP's at random time intervals. I seems that this is some scanner that searches for world-writable ftp sites, and since those requests have been comming from *almost* random hosts, i am only able to cumulatively add whole isp domains to my hosts.deny. I added a responce line i.e. an instant nmap to those guys, and up to now my nmap resulted in scanning either the firewall of the isp, or a windows machine ( win :), they may soon get an automated dos if they keep on :)) ). So i presume it's i win tool. Any Idea what the tool is? Any Idea of a better defence (not that my site is world-writable but anyway..) Thanks p.s. There is very famous WarezFTP site in Bulgaria, and i see them getting those same (in format) directories created, so it really seems like a scanner that just goes aroung mkdir'ing. p.s.s Sorry for mentioning the un-masked hostnames, but i believe they deserve that. Emil Popov Primasoft Ltd. emo () ds primasoft bg ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- annoying ftp probes Emil Popov (Aug 20)
- smtp probes Eduardo Cruz (Aug 20)
- Re: smtp probes Hugo van der Kooij (Aug 20)
- Re: smtp probes Wichert Akkerman (Aug 20)
- Re: smtp probes Hugo van der Kooij (Aug 20)
- Re: annoying ftp probes Jason Spence (Aug 20)
- Re: annoying ftp probes Mike Eheler (Aug 20)
- Re: annoying ftp probes Joris De Donder (Aug 20)
- <Possible follow-ups>
- RE: annoying ftp probes Mark Villanova (Aug 20)
- RE: annoying ftp probes Gregory McCann (Aug 20)
- RE: annoying ftp probes Skeeve Stevens (Aug 27)
- RE: annoying ftp probes Gregory McCann (Aug 20)
- RE: annoying ftp probes NESTING, DAVID M (SBCSI) (Aug 20)
(Thread continues...)
- smtp probes Eduardo Cruz (Aug 20)