Security Incidents mailing list archives
FTP scans from UU.net -- two of 'em!
From: Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>
Date: Mon, 25 Sep 2000 11:53:57 -0400
This weekend we caught two FTP service scans coming from UU.net. Given the large number of recent security problems with FTP services (see note 1), this is usually a prelude to an attack. In fact, it appears that a student owned machine was compromised by an attacker from UU.net. The first is to a server that offers anonymous FTP to the world. The second two are SGI workstations to which no one outside of CWRU Biochemistry is authorized to connect. These are likely to be violations of a customer's AUP and may represent a comprimised machine or a user engaging in unacceptable behavior: (from a mail and file server offering ANONYMOUS FTP service to the world) Sep 23 19:58:32 server kernel: TCP connection accepted: ip=63.77.76.6 port=21 uid=0 process=ncftpd[9763] Sep 24 11:25:34 server kernel: TCP connection accepted: ip=212.125.181.22 port=21 uid=0 process=ncftpd[10415] (from an SGI workstation) Sep 23 19:59:13 4C:sgi1 ftpd[4020]: refused connect from 63.77.76.6 Sep 24 11:25:42 4C:sgi1 ftpd[4507]: refused connect from user03578.du.no.uu.net (from another SGI workstation) Sep 23 19:42:54 4C:sgi2 ftpd[36096]: refused connect from 63.77.76.6 Sep 24 11:09:14 4C:sgi2 ftpd[36629]: refused connect from user03578.du.no.uu.net All times are in US EDT (GMT-5). Notes: 1. http://www.cert.org/advisories/CA-2000-13.html See also their current activity lists. jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- FTP scans from UU.net -- two of 'em! Jose Nazario (Sep 25)
- <Possible follow-ups>
- Re: FTP scans from UU.net -- two of 'em! Jose Nazario (Sep 26)