Security Incidents mailing list archives

ftp scan (was Re: web related oddity)

From: poptix () HYDROGEN POPTIX NET (Matthew S. Hallacy)
Date: Wed, 8 Mar 2000 13:19:29 -0600


(Oops, i accidently pasted that subject in the original message)

Now that I'm here at work I've talked to our helpdesk and we did have a
customer report that he also was scanned lastnight on his dedicated
connection (different /24) quite odd.

On Wed, 8 Mar 2000, Bill Pennington wrote:

Some scan a few boxes in my address space for FTP servers yesterday as
well.

Snort log:

Mar  7 16:01:19 @homeIP:4874 -> 1.2.3.232:21 SYN **S*****
Mar  7 16:01:25 @homeIP:4870 -> 1.2.3.228:21 SYN **S*****
Mar  7 16:01:25 @homeIP:4871 -> 1.2.3.229:21 SYN **S*****
Mar  7 16:01:25 @homeIP:4874 -> 1.2.3.232:21 SYN **S*****
Mar  7 16:01:25 @homeIP:4868 -> 1.2.3.226:21 SYN **S*****
Mar  7 16:01:25 @homeIP:4872 -> 1.2.3.230:21 SYN **S*****
Mar  7 16:01:25 @homeIP:4869 -> 1.2.3.227:21 SYN **S*****

Sinc I don't run any ftp services I assume he/she moved on. I have no
further activity from this IP address.

Current thread:

Re: web related oddity Oliver Friedrichs (Feb 29)
- <Possible follow-ups>
- Re: web related oddity Richard Bejtlich (Mar 04)
  - Port 33434 and decoy-scanning Jan Roger Wilkens (Mar 08)
    - Re: Port 33434 and decoy-scanning Pete Clements (Mar 08)
    - Re: Port 33434 and decoy-scanning Ryan Russell (Mar 09)
  - Re: web related oddity Ryan Russell (Mar 08)
    - Re: web related oddity Christopher L. Morrow (Mar 08)
- Re: web related oddity Donald McLachlan (Mar 07)
  - Re: web related oddity Matthew S. Hallacy (Mar 08)
    - Re: web related oddity Bill Pennington (Mar 08)
    - ftp scan (was Re: web related oddity) Matthew S. Hallacy (Mar 08)
- Re: web related oddity Donald McLachlan (Mar 08)