Attempted FTP script based attack.....

[Andrew Cogger <andrew () INNOVONICS COM AU>]

G'day.

Had our whole IP block ftp portscanned today by 212.170.17.235

inetnum:     212.170.0.0 - 212.170.15.255
netname:     TTDNET
descr:       Telefonica Data Espana (NCC#1999085999 )
descr:       Red de servicios IP
descr:       Spain
country:     ES
admin-c:     IM2505-RIPE
tech-c:      IM2505-RIPE
status:      ASSIGNED PA
mnt-by:      MAINT-AS3352

The 2 active ftp servers generated these logs......

314638 09/06/00 09:32:45 ftp-proxy[669] No access to command MKD . BJBZ
 from 212.170.17.235
314648 09/06/00 09:32:50 ftp-proxy[670] No access to command MKD . BJBZ
 from 212.170.17.235
314658 09/06/00 09:32:51 ftp-proxy[670] No access to command MKD . BJBZ
 from 212.170.17.235
314668 09/06/00 09:32:55 ftp-proxy[669] No access to command MKD . BJBZ
 from 212.170.17.235
314678 09/06/00 09:32:56 ftp-proxy[669] No access to command MKD . BJBZ
 from 212.170.17.235
314698 09/06/00 09:32:58 ftp-proxy[669] No access to command MKD . BJBZ
 from 212.170.17.235
314708 09/06/00 09:32:58 ftp-proxy[670] No access to command MKD . BJBZ
 from 212.170.17.235


Looks like an automated script to create a hidden directory, perhaps for warez or
rootkit installation.

Anyone recognize the script that is involved???

Thanks,

Andrew


--
Andrew Cogger                                andrew () innovonics com au
Electronics & Software Engineer              www.innovonics.com.au
Innovonics Pty Ltd                           Ph +61 3 9326 7922
121 Arden Street                             Fx +61 3 9326 7988
North Melbourne                              Mb 0413 437 461
VIC     3051                                 PGP Key ID: 0xC546109D
Australia