Re: annoying ftp probes

[Jason Spence <thalakan () technologist com>]

On Mon, Aug 20, 2001 at 10:33:03AM +0000, Emil Popov said: 
> Hi,
>
> I have been getting some annoying connections to my ftpd like:
>
> Aug 20 07:58:28 ds ftpd[7527]: connection from cc821361-d.vron1.nj.home.com
> Aug 20 07:58:29 ds ftpd[7527]: ANONYMOUS FTP LOGIN FROM cc821361-d.vron1.nj.home.com, guest () here com
> Aug 20 07:58:30 ds ftpd[7527]: mkdir 010820012936p
> Aug 19 06:37:34 ds ftpd[20081]: connection from ip-90-202.evc.net
> Aug 19 06:37:35 ds ftpd[20081]: ANONYMOUS FTP LOGIN FROM ip-90-202.evc.net, guest () here com
> Aug 19 06:37:36 ds ftpd[20081]: mkdir 010819061100p

I've been seeing the same thing, although with different anonymous
passwords and directories being created.  My honeypot is currently
being fought over by a couple k1dd3s who just learned about rmdir and
are trying to wipe each other's warez from the box.

> they are comming from various ISP's at random time intervals.  I
> seems that this is some scanner that searches for world-writable ftp
> sites, and since those requests have been comming from *almost*
> random hosts, i am only able to cumulatively add whole isp domains
> to my hosts.deny. I added a responce line i.e. an instant nmap to
> those guys, and up to now my nmap resulted in scanning either the
> firewall of the isp, or a windows machine ( win :), they may soon
> get an automated dos if they keep on :)) ).
>
> So i presume it's i win tool.

Yeah, I've noticed that they're all on windows boxes.

> Any Idea what the tool is?
> Any Idea of a better defence (not that my site is world-writable but anyway..)

Dunno, but it's not showing up in the first few pages of a search for
"anonymous ftp scanner" on Google.

 - Jason

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com