Security Incidents mailing list archives
Re: annoying ftp probes
From: Emil Popov <emo () ds primasoft bg>
Date: Mon, 27 Aug 2001 11:20:15 +0000
Delivered-To: moderator for incidents () securityfocus com Date: Tue, 21 Aug 2001 10:34:48 +0000 From: Emil Popov <emo () ds primasoft bg> To: incidents () securityfocus com Subject: Re: annoying ftp probes User-Agent: Mutt/1.2.5i In-Reply-To: <01082011103000.00977@localhost.localdomain>; from jcm () despair mainland cc tx us on Mon, Aug 20, 2001 at 11:10:30AM -0500
Hello, Is this a production ftp server , or just your personal machine ? I ask because if it is only your machine, running sshd and ssh'n into the machine and turning on your ftp server only when you need it. If it is a production server , how large of a client base do you have ? Might it be easier to make a hosts.allow , instead of denying every ftp scan you get ? As for what frp scanner it might be, it could really be anything, as almost all ftp exploits in the wild need anon+world writable dir to run their respective sploit. I would also shy away from automating nmap's or DoS's to these hosts in your logs, as they may be (and probably are) spoofed in some way or another. If we could please have some more info on the purpose/use of your ftp server, Im sure you would get more helpful and intellegent responses than the one I have given you. Good Luck,
Ok, it's an FTP srv that is shared among some of my colegues, and is pretty useful, so i don't want to shut it down (not all of the people using it can use scp). Using hosts.allow seams reasonable, but there still are people that i trust, who connect from dial'up or other sorts of "floating IPs". About nmap'ing, I have been adding whole distant isp domains, that i am sure no friend of mine is using, but my main idea behind those scans is to learn as much as possible about those guys. I really doubt they are spoofing the addresses, Most of those kiddies, if they really are will be counting on the dynamic IP that their ISP assigns them and will think they are untraceble. Someone in the thread mentioned that those guys will start uploading files when they find a writable dir, and yes, in the past, i had accidently left such a dir, and they were able to upload some 350M movie until i killed the srv for a moment of inspection. Thanks to everyone, elpecially to those who pointed me to some software, I relly am more calm when I have examined the tools that others use against me. BTW. I use OpenBSD with the deafault ftpd, so i'm pretty confident when skript kiddies try their tools on it, but please if you think it's wrong, notify me, I MAY BE WRING. Thanks again to everyone Emil Popov ----- End forwarded message ----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- smtp probes, (continued)
- smtp probes Eduardo Cruz (Aug 20)
- Re: smtp probes Hugo van der Kooij (Aug 20)
- Re: smtp probes Wichert Akkerman (Aug 20)
- Re: smtp probes Hugo van der Kooij (Aug 20)
- Re: annoying ftp probes Jason Spence (Aug 20)
- Re: annoying ftp probes Mike Eheler (Aug 20)
- Re: annoying ftp probes Joris De Donder (Aug 20)
- RE: annoying ftp probes Mark Villanova (Aug 20)
- RE: annoying ftp probes Gregory McCann (Aug 20)
- RE: annoying ftp probes Skeeve Stevens (Aug 27)
- RE: annoying ftp probes Gregory McCann (Aug 20)
- RE: annoying ftp probes NESTING, DAVID M (SBCSI) (Aug 20)
- Re: annoying ftp probes Emil Popov (Aug 27)
- smtp probes Eduardo Cruz (Aug 20)