Security Incidents mailing list archives
interesting POP2/FTP connect pattern
From: Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>
Date: Mon, 30 Oct 2000 11:02:57 -0500
hi all, wanted to chime in with a 'not your regular FTPd service sweep' report. perusing my logs this morning i came across a refused connection from saturday to various machines, all from the same source. two sgi workstations with locked FTP daemons and an anonymous FTP server all logged connections within the same time frame, but notice also that the server logged a failed POP2 connection (109/TCP). the SGI's don't log anything on POP2. Oct 28 02:18:13 4C:sgi1 ftpd[72720]: refused connect from engrupo.com.mx Oct 28 02:34:49 4C:sgi2 ftpd[14893]: refused connect from engrupo.com.mx Oct 28 02:35:44 server kernel: TCP connection accepted: ip=132.247.1.1 port=21 uid=0 process=ncftpd[8556] Oct 28 02:35:44 server kernel: TCP connection accepted: ip=132.247.1.1 port=109 uid=0 process=xinetd[50] looks like someone has more that one trick up their sleeve, but still isn't being stealthy about it. sorry no packet dumps to provide you with. jose nazario jose () biochemistry cwru edu PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu)
Current thread:
- interesting POP2/FTP connect pattern Jose Nazario (Oct 31)