Security Incidents mailing list archives
Attempted FTP script based attack.....
From: Andrew Cogger <andrew () INNOVONICS COM AU>
Date: Wed, 6 Sep 2000 14:02:15 +1000
G'day. Had our whole IP block ftp portscanned today by 212.170.17.235 inetnum: 212.170.0.0 - 212.170.15.255 netname: TTDNET descr: Telefonica Data Espana (NCC#1999085999 ) descr: Red de servicios IP descr: Spain country: ES admin-c: IM2505-RIPE tech-c: IM2505-RIPE status: ASSIGNED PA mnt-by: MAINT-AS3352 The 2 active ftp servers generated these logs...... 314638 09/06/00 09:32:45 ftp-proxy[669] No access to command MKD . BJBZ from 212.170.17.235 314648 09/06/00 09:32:50 ftp-proxy[670] No access to command MKD . BJBZ from 212.170.17.235 314658 09/06/00 09:32:51 ftp-proxy[670] No access to command MKD . BJBZ from 212.170.17.235 314668 09/06/00 09:32:55 ftp-proxy[669] No access to command MKD . BJBZ from 212.170.17.235 314678 09/06/00 09:32:56 ftp-proxy[669] No access to command MKD . BJBZ from 212.170.17.235 314698 09/06/00 09:32:58 ftp-proxy[669] No access to command MKD . BJBZ from 212.170.17.235 314708 09/06/00 09:32:58 ftp-proxy[670] No access to command MKD . BJBZ from 212.170.17.235 Looks like an automated script to create a hidden directory, perhaps for warez or rootkit installation. Anyone recognize the script that is involved??? Thanks, Andrew -- Andrew Cogger andrew () innovonics com au Electronics & Software Engineer www.innovonics.com.au Innovonics Pty Ltd Ph +61 3 9326 7922 121 Arden Street Fx +61 3 9326 7988 North Melbourne Mb 0413 437 461 VIC 3051 PGP Key ID: 0xC546109D Australia
Current thread:
- Attempted FTP script based attack..... Andrew Cogger (Sep 05)