Security Incidents mailing list archives
some recent action: ftpd sweeps, 9704/tcp checks, sub7 2.1
From: Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>
Date: Mon, 2 Oct 2000 12:21:22 -0400
[yeah, it's a bit lengthy, mostly log info.] hi all, seen some recent activity i wanted to share with everyone. i was reading my logs this morning and saw an incident from bellsouth.net, and honestly, was reluctant to report it to them (i'll post the specific info later, i expect). in short, i'm being reminded of what i heard ralph nader say at a talk i heard him give last week: large companies tend to know that they can shift the birden of any work to you, saving them some time and money. you'll usually give up in exasperation, and all that it cost them was a fraction of the time you spent digging around. this has got to change. you know who you are, we know who you are. ok, on to the info: FTP scans are on the rise. so say CERT, so say many of us. some examples: IP: 213.51.36.116 hostname: cp7990-a.venra1.lb.nl.home.com status: contacted (29 Sep 2000). received both autoresponse (in two languages) and written "we're investigating" reply. from a development Linux station: 2000/09/27 5:49:22 AM - < 0>- New FTP connection: 213.51.36.116 2000/09/27 5:49:22 AM - Unregistered version may only use the default welcome text. 2000/09/27 5:49:23 AM - < 0>-- FTP: Showing entry and asking Username. 2000/09/27 5:49:23 AM - < 0>-- Asking password. 2000/09/27 5:49:23 AM - < 0>Anonymous FTP user: ANON () XFER COM 2000/09/27 5:49:23 AM - < 0> Authenticated: ANONYMOUS. 2000/09/27 5:49:23 AM - < 0>ANONYMOUS-- Processing request . 2000/09/27 5:49:23 AM - < 0>ANONYMOUS-- Processing request MKD TEST345. 2000/09/27 5:49:23 AM - < 0>ANONYMOUS-- Processing request CWD /PUB/. 2000/09/27 5:49:24 AM - < 0>ANONYMOUS-- Processing request MKD TEST345. 2000/09/27 5:49:24 AM - < 0>ANONYMOUS-- Processing request CWD /. 2000/09/27 5:49:24 AM - < 0>ANONYMOUS-- Processing request CWD PUBLIC/INCOMING/. 2000/09/27 5:49:24 AM - < 0>ANONYMOUS-- Processing request MKD TEST345. 2000/09/27 5:49:24 AM - < 0>ANONYMOUS-- Processing request CWD /. 2000/09/27 5:49:24 AM - < 0>ANONYMOUS-- Processing request CWD /PUB/INCOMING/. 2000/09/27 5:49:25 AM - < 0>ANONYMOUS-- Processing request MKD TEST345. 2000/09/27 5:49:25 AM - < 0>ANONYMOUS-- Processing request CWD /. 2000/09/27 5:49:25 AM - < 0>ANONYMOUS-- Processing request CWD /INCOMING/. 2000/09/27 5:49:25 AM - < 0>ANONYMOUS-- Processing request MKD TEST345. 2000/09/27 5:49:25 AM - < 0>ANONYMOUS-- Processing request CWD /. 2000/09/27 5:49:26 AM - < 0>ANONYMOUS-- Processing request CWD /UPLOAD/. 2000/09/27 5:49:26 AM - < 0>ANONYMOUS-- Processing request MKD TEST345. 2000/09/27 5:49:26 AM - < 0>ANONYMOUS-- Processing request CWD /. 2000/09/27 5:49:26 AM - < 0>ANONYMOUS-- Processing request CWD /_VTI_PVT/. 2000/09/27 5:49:26 AM - < 0>ANONYMOUS-- Processing request MKD TEST345. 2000/09/27 5:49:26 AM - < 0>ANONYMOUS-- Processing request CWD /. 2000/09/27 5:49:26 AM - < 0>ANONYMOUS-- Processing request CWD /_VTI_TXT/. 2000/09/27 5:49:27 AM - < 0>ANONYMOUS-- Processing request MKD TEST345. 2000/09/27 5:49:27 AM - < 0>ANONYMOUS-- Processing request CWD /. 2000/09/27 5:49:27 AM - < 0>ANONYMOUS-- Processing request CWD /_VTI_LOG/. 2000/09/27 5:49:27 AM - < 0>ANONYMOUS-- Processing request MKD TEST345. 2000/09/27 5:49:27 AM - < 0>ANONYMOUS-- Processing request CWD /. 2000/09/27 5:49:27 AM - < 0>ANONYMOUS-- Processing request CWD /WWWROOT/. 2000/09/27 5:49:27 AM - < 0>ANONYMOUS-- Processing request MKD TEST345. 2000/09/27 5:49:28 AM - < 0>ANONYMOUS-- Processing request CWD /. 2000/09/27 5:49:28 AM - < 0>ANONYMOUS-- Processing request CWD /ANONYMOUS/. 2000/09/27 5:49:28 AM - < 0>ANONYMOUS-- Processing request MKD TEST345. 2000/09/27 5:49:28 AM - < 0>ANONYMOUS-- Processing request CWD /. 2000/09/27 5:49:28 AM - < 0>ANONYMOUS-- Processing request CWD /PUBLIC/. 2000/09/27 5:49:28 AM - < 0>ANONYMOUS-- Processing request MKD TEST345. 2000/09/27 5:49:28 AM - < 0>ANONYMOUS-- Processing request CWD /. 2000/09/27 5:49:29 AM - < 0>ANONYMOUS-- Processing request CWD /OUTGOING/. 2000/09/27 5:49:29 AM - < 0>ANONYMOUS-- Processing request MKD TEST345. 2000/09/27 5:49:29 AM - < 0>ANONYMOUS-- Processing request CWD /. 2000/09/27 5:49:29 AM - < 0>ANONYMOUS-- Processing request CWD /CGI-BIN/. 2000/09/27 5:49:29 AM - < 0>ANONYMOUS-- Processing request MKD TEST345. 2000/09/27 5:49:29 AM - < 0>ANONYMOUS-- Processing request CWD /. 2000/09/27 5:49:30 AM - < 0>ANONYMOUS-- Processing request CWD /TMP/. 2000/09/27 5:49:30 AM - < 0>ANONYMOUS-- Processing request MKD TEST345. 2000/09/27 5:49:30 AM - < 0>ANONYMOUS-- Processing request CWD /. 2000/09/27 5:49:30 AM - < 0>ANONYMOUS-- Processing request CWD /ANONYMOUS/_VTI_PVT/. 2000/09/27 5:49:30 AM - < 0>ANONYMOUS-- Processing request MKD TEST345. 2000/09/27 5:49:30 AM - < 0>ANONYMOUS-- Processing request CWD /. 2000/09/27 5:49:30 AM - < 0>ANONYMOUS-- Processing request CWD /ANONYMOUS/INCOMING/. 2000/09/27 5:49:31 AM - < 0>ANONYMOUS-- Processing request MKD TEST345. 2000/09/27 5:49:31 AM - < 0>ANONYMOUS-- Processing request CWD /. 2000/09/27 5:49:31 AM - < 0>ANONYMOUS-- Processing request CWD /MAILROOT/. 2000/09/27 5:49:31 AM - < 0>ANONYMOUS-- Processing request MKD TEST345. 2000/09/27 5:49:31 AM - < 0>ANONYMOUS-- Processing request CWD /. 2000/09/27 5:49:31 AM - < 0>ANONYMOUS-- Processing request CWD /FTPROOT/. 2000/09/27 5:49:32 AM - < 0>ANONYMOUS-- Processing request MKD TEST345. 2000/09/27 5:49:32 AM - < 0>ANONYMOUS-- Processing request CWD /. 2000/09/27 5:49:32 AM - < 0>ANONYMOUS-- Processing request CWD /ANONYMOUS/PUB/. 2000/09/27 5:49:32 AM - < 0>ANONYMOUS-- Processing request MKD TEST345. 2000/09/27 5:49:32 AM - < 0>ANONYMOUS-Client disconnected, so will we. (from a mail and file server offering ANONYMOUS FTP service to the world) Sep 27 05:59:55 server kernel: TCP connection accepted: ip=213.51.36.116 port=21 uid=0 process=ncftpd[26341] ** ONLY CWRU BIOCHEMISTRY IS AUTHORIZED TO CONNECT TO THESE MACHINES *** (from an SGI workstation) Sep 27 05:43:42 4C:sgi1 ftpd[39866]: refused connect from cp7990-a.venra1.lb.nl.home.com (from another SGI workstation) Sep 27 06:00:13 4C:sgi2 ftpd[7611]: refused connect from cp7990-a.venra1.lb.nl.home.com ------------------------------------------------- been seeing a lot of 9704/TCP attempts. see the CERT note (1) for why: network: bridgeband.net status: contacted (29 Sep 2000). reply: "Our engineering team is currently investigating this issue." Sep 29 07:23:51 server kernel: TCP connection rejected from 199.2.135.67, port 9704 +++ yet another 9704/TCP check network: concentric.net status: contacted (1 Oct 2000). autoreply. (they seem better set up for spam, methinks.) Sep 30 05:07:28 server kernel: TCP connection rejected from 209.31.235.33, port 9704 ------------------------------------------------- and life wouldn't be complete without some Sub7 2.1 action (27374/TCP): network: rr.com status: contacted (29 Sep 2000). autoresponse. Sep 29 03:14:07 server kernel: TCP connection rejected from 24.28.55.244, port 27374 All times are EDT (GMT-4). the FTP sweeps and attempts are pretty run of the mill, probably some warez kiddies using an automated scanner. good god, kids, if you're reading this, please get a clue and be less noisy. the 9704/TCP sweeps are probably doing a fingerprint of the OS and then checking for the recent rcp.statd effects. and the Sub7 is quite run of the mill *yawn*. interestingly i haven't caught many portscans lately, which made me check to make sure the detection module hadn't barfed out and segfaulted (it hasn't). if any kiddies are reading this and want to learn how to avoid detection, i say "get a clue." notes: 1. http://www.cert.org/advisories/CA-2000-17.html thanks all, keep the peace. and to the ISP's who can't be good citizens, we're watching you closely. jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- some recent action: ftpd sweeps, 9704/tcp checks, sub7 2.1 Jose Nazario (Oct 02)