interesting POP2/FTP connect pattern

[Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>]

hi all,

wanted to chime in with a 'not your regular FTPd service sweep' report.
perusing my logs this morning i came across a refused connection from
saturday to various machines, all from the same source. two sgi
workstations with locked FTP daemons and an anonymous FTP server all
logged connections within the same time frame, but notice also that the
server logged a failed POP2 connection (109/TCP). the SGI's don't log
anything on POP2.

Oct 28 02:18:13 4C:sgi1 ftpd[72720]: refused connect from engrupo.com.mx

Oct 28 02:34:49 4C:sgi2 ftpd[14893]: refused connect from engrupo.com.mx

Oct 28 02:35:44 server kernel: TCP connection accepted: ip=132.247.1.1
port=21 uid=0 process=ncftpd[8556]
Oct 28 02:35:44 server kernel: TCP connection accepted: ip=132.247.1.1
port=109 uid=0 process=xinetd[50]

looks like someone has more that one trick up their sleeve, but still
isn't being stealthy about it. sorry no packet dumps to provide you with.

jose nazario                                    jose () biochemistry cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)