Wide Spread TCP 21 -> 21 (SF) Sweep

[H D Moore <hdm () SECUREAUSTIN COM>]

I am noticing what must be a HUGE FTP scan going on, as two completely
unrelated networks saw the same thing about an 10 hours apart.

X = wireweb network
Y = jump.net network

2000-11-03 14:42:04 203.59.72.172:21 > 216.3.228.XA:21 [3] (ttl 15 len 40)

2000-11-04 00:11:58 203.59.72.172:21 > 216.30.16.YA:21 [3] (ttl 26 len 40)
2000-11-04 00:11:58 203.59.72.172:21 > 216.30.16.YB:21 [3] (ttl 26 len 40)
2000-11-04 00:11:58 203.59.72.172:21 > 216.30.16.YC:21 [3] (ttl 26 len 40)
2000-11-04 00:11:58 203.59.72.172:21 > 216.30.16.YD:21 [3] (ttl 26 len 40)
2000-11-04 00:11:59 203.59.72.172:21 > 216.30.16.YE:21 [3] (ttl 26 len 40)
2000-11-04 00:11:59 203.59.72.172:21 > 216.30.16.YF:21 [3] (ttl 26 len 40)
2000-11-04 00:11:59 203.59.72.172:21 > 216.30.16.YG:21 [3] (ttl 26 len 40)
2000-11-04 00:13:50 203.59.72.172:21 > 216.30.38.YH:21 [3] (ttl 26 len 40)
2000-11-04 00:13:50 203.59.72.172:21 > 216.30.38.YI:21 [3] (ttl 26 len 40)
2000-11-04 00:14:05 203.59.72.172:21 > 216.30.41.YJ:21 [3] (ttl 26 len 40)
2000-11-04 00:14:05 203.59.72.172:21 > 216.30.41.YK:21 [3] (ttl 26 len 40)

Since it appears to be a sequential scan, I did the math to determine exactly
how many hosts were being scanned per second, and can guestimate when this kid
will scan your network (if its in the the 216.x.x.x block).  If you see this
scan and feel like comparing notes, drop me a line.

All times are in CST.

Hosts-Per-Second: 45-50
45/hosts/sec from net X -> Y inclusive
50/hosts/sec from first Y to last Y

The address reverse resolves to: reggae-05-172.nv.iinet.net.au
This host appears to be a linux machine running a vulnerable version
of wu-ftpd.  It is unlikely that this is anything but an 0wned machine,
because the kiddie should have enough sense to patch his own box for
the vuln. her/she is scanning for.

-HD


http://www.digitaldefense.net (work)
http://www.digitaloffense.net (play)