Security Incidents mailing list archives
ftp scan (was Re: web related oddity)
From: poptix () HYDROGEN POPTIX NET (Matthew S. Hallacy)
Date: Wed, 8 Mar 2000 13:19:29 -0600
(Oops, i accidently pasted that subject in the original message) Now that I'm here at work I've talked to our helpdesk and we did have a customer report that he also was scanned lastnight on his dedicated connection (different /24) quite odd. On Wed, 8 Mar 2000, Bill Pennington wrote:
Some scan a few boxes in my address space for FTP servers yesterday as well. Snort log: Mar 7 16:01:19 @homeIP:4874 -> 1.2.3.232:21 SYN **S***** Mar 7 16:01:25 @homeIP:4870 -> 1.2.3.228:21 SYN **S***** Mar 7 16:01:25 @homeIP:4871 -> 1.2.3.229:21 SYN **S***** Mar 7 16:01:25 @homeIP:4874 -> 1.2.3.232:21 SYN **S***** Mar 7 16:01:25 @homeIP:4868 -> 1.2.3.226:21 SYN **S***** Mar 7 16:01:25 @homeIP:4872 -> 1.2.3.230:21 SYN **S***** Mar 7 16:01:25 @homeIP:4869 -> 1.2.3.227:21 SYN **S***** Sinc I don't run any ftp services I assume he/she moved on. I have no further activity from this IP address.
Current thread:
- Re: web related oddity Oliver Friedrichs (Feb 29)
- <Possible follow-ups>
- Re: web related oddity Richard Bejtlich (Mar 04)
- Port 33434 and decoy-scanning Jan Roger Wilkens (Mar 08)
- Re: Port 33434 and decoy-scanning Pete Clements (Mar 08)
- Re: Port 33434 and decoy-scanning Ryan Russell (Mar 09)
- Port 33434 and decoy-scanning Jan Roger Wilkens (Mar 08)
- Re: web related oddity Ryan Russell (Mar 08)
- Re: web related oddity Christopher L. Morrow (Mar 08)
- Re: web related oddity Donald McLachlan (Mar 07)
- Re: web related oddity Matthew S. Hallacy (Mar 08)
- Re: web related oddity Bill Pennington (Mar 08)
- ftp scan (was Re: web related oddity) Matthew S. Hallacy (Mar 08)
- Re: web related oddity Matthew S. Hallacy (Mar 08)