Security Incidents mailing list archives
higher then normal anon FTP scanning
From: Silent Bob <phoenix () notwise net>
Date: Mon, 8 Oct 2001 13:24:16 -0500 (CDT)
I havent seen anything about this but in the past week Ive seen a lot more scripted ftp site scanning, much of it from boxes that have previously probed with nimda (malicious remote control?) sample log follows. for the record the anon ftp server here doesnt allow upload so this is just an annoyance. Oct 8 13:13:19 notwise ftpd[3125]: USER anonymous Oct 8 13:13:19 notwise ftpd[3125]: PASS Jgpuser () home com Oct 8 13:13:19 notwise ftpd[3125]: ANONYMOUS FTP LOGIN FROM AAnnecy-101-1-4-58.abo.wanadoo.fr [193.251.17.58], Jgpuser () home com Oct 8 13:13:20 notwise ftpd[3125]: CWD /pub/ Oct 8 13:13:20 notwise ftpd[3125]: MKD 011008201323p Oct 8 13:13:20 notwise ftpd[3125]: CWD /public/ Oct 8 13:13:21 notwise ftpd[3125]: CWD /pub/incoming/ Oct 8 13:13:21 notwise ftpd[3125]: CWD /incoming/ Oct 8 13:13:22 notwise ftpd[3125]: CWD /_vti_pvt/ Oct 8 13:13:23 notwise ftpd[3125]: CWD / Oct 8 13:13:23 notwise ftpd[3125]: MKD 011008201326p Oct 8 13:13:24 notwise ftpd[3125]: CWD /upload/ Oct 8 13:13:24 notwise ftpd[3125]: FTP session closed -- Bob MCSE Microsoft Certified System Eliminator The best way to accelerate a windows box is at 9.8 meters per second square. All your tanks are belong to me. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- higher then normal anon FTP scanning Silent Bob (Oct 08)