FTP scans from UU.net -- two of 'em!

[Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>]

This weekend we caught two FTP service scans coming from UU.net. Given the
large number of recent security problems with FTP services (see note 1),
this is usually a prelude to an attack. In fact, it appears that a student
owned machine was compromised by an attacker from UU.net.

The first is to a server that offers anonymous FTP to the world. The
second two are SGI workstations to which no one outside of CWRU
Biochemistry is authorized to connect.

These are likely to be violations of a customer's AUP and may represent a
comprimised machine or a user engaging in unacceptable behavior:

(from a mail and file server offering ANONYMOUS FTP service to the world)
Sep 23 19:58:32 server kernel: TCP connection accepted: ip=63.77.76.6
port=21 uid=0 process=ncftpd[9763]
Sep 24 11:25:34 server kernel: TCP connection accepted: ip=212.125.181.22
port=21 uid=0 process=ncftpd[10415]

(from an SGI workstation)
Sep 23 19:59:13 4C:sgi1 ftpd[4020]: refused connect from 63.77.76.6
Sep 24 11:25:42 4C:sgi1 ftpd[4507]: refused connect from
user03578.du.no.uu.net

(from another SGI workstation)
Sep 23 19:42:54 4C:sgi2 ftpd[36096]: refused connect from 63.77.76.6
Sep 24 11:09:14 4C:sgi2 ftpd[36629]: refused connect from
user03578.du.no.uu.net

All times are in US EDT (GMT-5).

Notes:

1. http://www.cert.org/advisories/CA-2000-13.html See also their current
activity lists.

jose nazario                                    jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc