Security Incidents mailing list archives
some recent action: ftpd sweeps, 9704/tcp checks, sub7 2.1
From: Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>
Date: Mon, 2 Oct 2000 12:21:22 -0400
[yeah, it's a bit lengthy, mostly log info.]
hi all,
seen some recent activity i wanted to share with everyone. i was reading
my logs this morning and saw an incident from bellsouth.net, and honestly,
was reluctant to report it to them (i'll post the specific info later, i
expect). in short, i'm being reminded of what i heard ralph nader say at a
talk i heard him give last week: large companies tend to know that they
can shift the birden of any work to you, saving them some time and money.
you'll usually give up in exasperation, and all that it cost them was a
fraction of the time you spent digging around.
this has got to change. you know who you are, we know who you are.
ok, on to the info:
FTP scans are on the rise. so say CERT, so say many of us. some examples:
IP: 213.51.36.116
hostname: cp7990-a.venra1.lb.nl.home.com
status: contacted (29 Sep 2000). received both autoresponse (in
two languages) and written "we're investigating" reply.
from a development Linux station:
2000/09/27 5:49:22 AM - < 0>- New FTP connection: 213.51.36.116
2000/09/27 5:49:22 AM - Unregistered version may only use the default
welcome
text.
2000/09/27 5:49:23 AM - < 0>-- FTP: Showing entry and asking Username.
2000/09/27 5:49:23 AM - < 0>-- Asking password.
2000/09/27 5:49:23 AM - < 0>Anonymous FTP user: ANON () XFER COM
2000/09/27 5:49:23 AM - < 0> Authenticated: ANONYMOUS.
2000/09/27 5:49:23 AM - < 0>ANONYMOUS-- Processing request .
2000/09/27 5:49:23 AM - < 0>ANONYMOUS-- Processing request MKD TEST345.
2000/09/27 5:49:23 AM - < 0>ANONYMOUS-- Processing request CWD /PUB/.
2000/09/27 5:49:24 AM - < 0>ANONYMOUS-- Processing request MKD TEST345.
2000/09/27 5:49:24 AM - < 0>ANONYMOUS-- Processing request CWD /.
2000/09/27 5:49:24 AM - < 0>ANONYMOUS-- Processing request CWD
PUBLIC/INCOMING/.
2000/09/27 5:49:24 AM - < 0>ANONYMOUS-- Processing request MKD TEST345.
2000/09/27 5:49:24 AM - < 0>ANONYMOUS-- Processing request CWD /.
2000/09/27 5:49:24 AM - < 0>ANONYMOUS-- Processing request CWD
/PUB/INCOMING/.
2000/09/27 5:49:25 AM - < 0>ANONYMOUS-- Processing request MKD TEST345.
2000/09/27 5:49:25 AM - < 0>ANONYMOUS-- Processing request CWD /.
2000/09/27 5:49:25 AM - < 0>ANONYMOUS-- Processing request CWD /INCOMING/.
2000/09/27 5:49:25 AM - < 0>ANONYMOUS-- Processing request MKD TEST345.
2000/09/27 5:49:25 AM - < 0>ANONYMOUS-- Processing request CWD /.
2000/09/27 5:49:26 AM - < 0>ANONYMOUS-- Processing request CWD /UPLOAD/.
2000/09/27 5:49:26 AM - < 0>ANONYMOUS-- Processing request MKD TEST345.
2000/09/27 5:49:26 AM - < 0>ANONYMOUS-- Processing request CWD /.
2000/09/27 5:49:26 AM - < 0>ANONYMOUS-- Processing request CWD /_VTI_PVT/.
2000/09/27 5:49:26 AM - < 0>ANONYMOUS-- Processing request MKD TEST345.
2000/09/27 5:49:26 AM - < 0>ANONYMOUS-- Processing request CWD /.
2000/09/27 5:49:26 AM - < 0>ANONYMOUS-- Processing request CWD /_VTI_TXT/.
2000/09/27 5:49:27 AM - < 0>ANONYMOUS-- Processing request MKD TEST345.
2000/09/27 5:49:27 AM - < 0>ANONYMOUS-- Processing request CWD /.
2000/09/27 5:49:27 AM - < 0>ANONYMOUS-- Processing request CWD /_VTI_LOG/.
2000/09/27 5:49:27 AM - < 0>ANONYMOUS-- Processing request MKD TEST345.
2000/09/27 5:49:27 AM - < 0>ANONYMOUS-- Processing request CWD /.
2000/09/27 5:49:27 AM - < 0>ANONYMOUS-- Processing request CWD /WWWROOT/.
2000/09/27 5:49:27 AM - < 0>ANONYMOUS-- Processing request MKD TEST345.
2000/09/27 5:49:28 AM - < 0>ANONYMOUS-- Processing request CWD /.
2000/09/27 5:49:28 AM - < 0>ANONYMOUS-- Processing request CWD
/ANONYMOUS/.
2000/09/27 5:49:28 AM - < 0>ANONYMOUS-- Processing request MKD TEST345.
2000/09/27 5:49:28 AM - < 0>ANONYMOUS-- Processing request CWD /.
2000/09/27 5:49:28 AM - < 0>ANONYMOUS-- Processing request CWD /PUBLIC/.
2000/09/27 5:49:28 AM - < 0>ANONYMOUS-- Processing request MKD TEST345.
2000/09/27 5:49:28 AM - < 0>ANONYMOUS-- Processing request CWD /.
2000/09/27 5:49:29 AM - < 0>ANONYMOUS-- Processing request CWD /OUTGOING/.
2000/09/27 5:49:29 AM - < 0>ANONYMOUS-- Processing request MKD TEST345.
2000/09/27 5:49:29 AM - < 0>ANONYMOUS-- Processing request CWD /.
2000/09/27 5:49:29 AM - < 0>ANONYMOUS-- Processing request CWD /CGI-BIN/.
2000/09/27 5:49:29 AM - < 0>ANONYMOUS-- Processing request MKD TEST345.
2000/09/27 5:49:29 AM - < 0>ANONYMOUS-- Processing request CWD /.
2000/09/27 5:49:30 AM - < 0>ANONYMOUS-- Processing request CWD /TMP/.
2000/09/27 5:49:30 AM - < 0>ANONYMOUS-- Processing request MKD TEST345.
2000/09/27 5:49:30 AM - < 0>ANONYMOUS-- Processing request CWD /.
2000/09/27 5:49:30 AM - < 0>ANONYMOUS-- Processing request CWD
/ANONYMOUS/_VTI_PVT/.
2000/09/27 5:49:30 AM - < 0>ANONYMOUS-- Processing request MKD TEST345.
2000/09/27 5:49:30 AM - < 0>ANONYMOUS-- Processing request CWD /.
2000/09/27 5:49:30 AM - < 0>ANONYMOUS-- Processing request CWD
/ANONYMOUS/INCOMING/.
2000/09/27 5:49:31 AM - < 0>ANONYMOUS-- Processing request MKD TEST345.
2000/09/27 5:49:31 AM - < 0>ANONYMOUS-- Processing request CWD /.
2000/09/27 5:49:31 AM - < 0>ANONYMOUS-- Processing request CWD /MAILROOT/.
2000/09/27 5:49:31 AM - < 0>ANONYMOUS-- Processing request MKD TEST345.
2000/09/27 5:49:31 AM - < 0>ANONYMOUS-- Processing request CWD /.
2000/09/27 5:49:31 AM - < 0>ANONYMOUS-- Processing request CWD /FTPROOT/.
2000/09/27 5:49:32 AM - < 0>ANONYMOUS-- Processing request MKD TEST345.
2000/09/27 5:49:32 AM - < 0>ANONYMOUS-- Processing request CWD /.
2000/09/27 5:49:32 AM - < 0>ANONYMOUS-- Processing request CWD
/ANONYMOUS/PUB/.
2000/09/27 5:49:32 AM - < 0>ANONYMOUS-- Processing request MKD TEST345.
2000/09/27 5:49:32 AM - < 0>ANONYMOUS-Client disconnected, so will we.
(from a mail and file server offering ANONYMOUS FTP service to the world)
Sep 27 05:59:55 server kernel: TCP connection accepted: ip=213.51.36.116
port=21 uid=0 process=ncftpd[26341]
** ONLY CWRU BIOCHEMISTRY IS AUTHORIZED TO CONNECT TO THESE MACHINES ***
(from an SGI workstation)
Sep 27 05:43:42 4C:sgi1 ftpd[39866]: refused connect from
cp7990-a.venra1.lb.nl.home.com
(from another SGI workstation)
Sep 27 06:00:13 4C:sgi2 ftpd[7611]: refused connect from
cp7990-a.venra1.lb.nl.home.com
-------------------------------------------------
been seeing a lot of 9704/TCP attempts. see the CERT note (1) for why:
network: bridgeband.net
status: contacted (29 Sep 2000). reply: "Our engineering team is
currently investigating this issue."
Sep 29 07:23:51 server kernel: TCP connection rejected from 199.2.135.67,
port 9704
+++ yet another 9704/TCP check
network: concentric.net
status: contacted (1 Oct 2000). autoreply. (they seem better set
up for spam, methinks.)
Sep 30 05:07:28 server kernel: TCP connection rejected from 209.31.235.33,
port 9704
-------------------------------------------------
and life wouldn't be complete without some Sub7 2.1 action (27374/TCP):
network: rr.com
status: contacted (29 Sep 2000). autoresponse.
Sep 29 03:14:07 server kernel: TCP connection rejected from 24.28.55.244,
port 27374
All times are EDT (GMT-4). the FTP sweeps and attempts are pretty run of
the mill, probably some warez kiddies using an automated scanner. good
god, kids, if you're reading this, please get a clue and be less noisy.
the 9704/TCP sweeps are probably doing a fingerprint of the OS and then
checking for the recent rcp.statd effects. and the Sub7 is quite run of
the mill *yawn*. interestingly i haven't caught many portscans lately,
which made me check to make sure the detection module hadn't barfed out
and segfaulted (it hasn't).
if any kiddies are reading this and want to learn how to avoid detection,
i say "get a clue."
notes:
1. http://www.cert.org/advisories/CA-2000-17.html
thanks all, keep the peace. and to the ISP's who can't be good citizens,
we're watching you closely.
jose nazario jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- some recent action: ftpd sweeps, 9704/tcp checks, sub7 2.1 Jose Nazario (Oct 02)