Security Incidents mailing list archives
distributed ftp scan
From: Russell Fulton <r.fulton () auckland ac nz>
Date: 18 Apr 2002 15:01:13 +1200
Early this morning (local time 0500 - UTC+1200) we detected a what appeared to be a distributed scan of ftp ports. 10 source addresses were involved and each source scanned addresses going up in steps of 21 addresses. All started from the same block of 21 addresses. The scan rates varied between the sources with some probing at the rate of 1 destination address per minute and others at up to 3 per minute. They found several ftp servers and several of the sources established TCP connections to retrieve banners so I don't believe that this was a decoy scan. Here is a list of the IPs involved: 193.92.189.98 195.199.85.93 24.203.213.246 200.207.15.4 212.249.12.194 24.232.88.160 212.72.11.26 62.110.245.69 213.53.232.131 202.84.178.1 -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- distributed ftp scan Russell Fulton (Apr 18)