Security Incidents mailing list archives
RE: annoying ftp probes
From: "Skeeve Stevens" <skeeve () skeeve org>
Date: Sun, 26 Aug 2001 20:37:31 +1000
With this particular incident... send an email to abuse () telstra com with this log and they will kick the person... TMNS is Telstra Managed Network Services, and it looks like that particular link is a Cable connection. ...Skeeve
-----Original Message----- From: Gregory McCann [mailto:cambria () owt com] Sent: Tuesday, August 21, 2001 6:27 AM To: incidents () securityfocus com Cc: Mark Villanova; emo () ds primasoft bg Subject: RE: annoying ftp probes I've been seeing more aggressive attempts than that here. Here is a recent example. They attempt to CWD to a large number of common ftp directory names. If successful, they try to create a directory there. This user repeated the exact same scan five minutes later. (To save space I have only included the first one.) "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe R-O","nobody","[10/Aug/2001:19:49:24 -0700]","USER anonymous","331","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe R-O","ftp","[10/Aug/2001:19:49:25 -0700]","PASS guest () here com","230","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe R-O","ftp","[10/Aug/2001:19:49:25 -0700]","CWD /","250","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe R-O","ftp","[10/Aug/2001:19:49:26 -0700]","MKD 010811125809p","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe R-O","ftp","[10/Aug/2001:19:49:26 -0700]","CWD /public/","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe R-O","ftp","[10/Aug/2001:19:49:27 -0700]","CWD /pub/incoming/","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe R-O","ftp","[10/Aug/2001:19:49:27 -0700]","CWD /incoming/","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe R-O","ftp","[10/Aug/2001:19:49:28 -0700]","CWD /_vti_pvt/","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe R-O","ftp","[10/Aug/2001:19:49:28 -0700]","CWD /pub/","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe R-O","ftp","[10/Aug/2001:19:49:29 -0700]","CWD /upload/","250","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe R-O","ftp","[10/Aug/2001:19:49:29 -0700]","MKD 010811125813p","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe R-O","ftp","[10/Aug/2001:19:49:30 -0700]","CWD /~tmp/","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe R-O","ftp","[10/Aug/2001:19:49:30 -0700]","CWD /~temp/","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe R-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD /tmp/","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe R-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD /temp/","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe R-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD /_vti_cfg/","550","-","-","-" "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe R-O","ftp","[10/Aug/2001:19:49:32 -0700]","CWD /_vti_txt/","550","-","-","-"-----Original Message----- From: Emil Popov [mailto:emo () ds primasoft bg] Sent: Monday, August 20, 2001 3:33 AM To: incidents () securityfocus com Subject: annoying ftp probes Hi, I have been getting some annoying connections to my ftpd like: Aug 20 07:58:28 ds ftpd[7527]: connection from cc821361-d.vron1.nj.home.com Aug 20 07:58:29 ds ftpd[7527]:ANONYMOUSFTP LOGIN FROM cc821361-d.vron1.nj.home.com, guest () here com Aug 20 07:58:30 ds ftpd[7527]: mkdir 010820012936p Aug 19 06:37:34 ds ftpd[20081]: connection from ip-90-202.evc.net Aug 19 06:37:35 ds ftpd[20081]: ANONYMOUS FTP LOGIN FROM ip-90-202.evc.net, guest () here com Aug 19 06:37:36 ds ftpd[20081]: mkdir 010819061100p-------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- annoying ftp probes Emil Popov (Aug 20)
- smtp probes Eduardo Cruz (Aug 20)
- Re: smtp probes Hugo van der Kooij (Aug 20)
- Re: smtp probes Wichert Akkerman (Aug 20)
- Re: smtp probes Hugo van der Kooij (Aug 20)
- Re: annoying ftp probes Jason Spence (Aug 20)
- Re: annoying ftp probes Mike Eheler (Aug 20)
- Re: annoying ftp probes Joris De Donder (Aug 20)
- <Possible follow-ups>
- RE: annoying ftp probes Mark Villanova (Aug 20)
- RE: annoying ftp probes Gregory McCann (Aug 20)
- RE: annoying ftp probes Skeeve Stevens (Aug 27)
- RE: annoying ftp probes Gregory McCann (Aug 20)
- RE: annoying ftp probes NESTING, DAVID M (SBCSI) (Aug 20)
- Re: annoying ftp probes Emil Popov (Aug 27)
- smtp probes Eduardo Cruz (Aug 20)