Re: annoying ftp probes

[Emil Popov <emo () ds primasoft bg>]

Delivered-To: moderator for incidents () securityfocus com
Date: Tue, 21 Aug 2001 10:34:48 +0000
From: Emil Popov <emo () ds primasoft bg>
To: incidents () securityfocus com
Subject: Re: annoying ftp probes
User-Agent: Mutt/1.2.5i
In-Reply-To: <01082011103000.00977@localhost.localdomain>; from jcm () despair mainland cc tx us on Mon, Aug 20, 2001 
at 11:10:30AM -0500

> Hello, 
> Is this a production ftp server , or just your personal machine ? I ask 
> because if it is only your machine, running sshd and ssh'n into the machine 
> and turning on your ftp server only when you need it. If it is a production 
> server , how large of a client base do you have ? Might it be easier to make 
> a hosts.allow , instead of denying every ftp scan you get ? As for what frp 
> scanner it might be, it could really be anything, as almost all ftp exploits 
> in the wild need anon+world writable dir to run their respective sploit. I 
> would also shy away from automating nmap's or DoS's to these hosts in your 
> logs, as they may be (and probably are) spoofed in some way or another. If we 
> could please have some more info on the purpose/use of your ftp server, Im 
> sure you would get more helpful and intellegent responses than the one I have 
> given you. Good Luck, 

Ok, it's an FTP srv that is shared among some of my colegues, and is
pretty useful, so i don't want to shut it down (not all of the
people using it can use scp). Using hosts.allow seams reasonable, but
there still are people that i trust, who connect from dial'up or other
sorts of "floating IPs". About nmap'ing, I have been adding whole distant
isp domains, that i am sure no friend of mine is using, but my main idea
behind those scans is to learn as much as possible about those guys.
I really doubt they are spoofing the addresses, Most of those kiddies,
if they really are will be counting on the dynamic IP that their ISP
assigns them and will think they are untraceble.

Someone in the thread mentioned that those guys will start
uploading files when they find a writable dir, and yes,
in the past, i had accidently left such a dir, and they were
able to upload some 350M movie until i killed the srv for a
moment of inspection.

Thanks to everyone, elpecially to those who pointed me to
some software, I relly am more calm when I have examined the
tools that others use against me.

BTW. I use OpenBSD with the deafault ftpd, so i'm pretty
confident when skript kiddies try their tools on it, but
please if you think it's wrong, notify me, I MAY BE WRING.

Thanks again to everyone

Emil Popov


----- End forwarded message -----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com