RE: annoying ftp probes

["Gregory McCann" <cambria () owt com>]

I've been seeing more aggressive attempts than that here.  Here is a recent example.  They attempt to CWD to a large 
number of common ftp directory names.  If successful, they try to create a directory there.  This user repeated the 
exact same scan five minutes later.  (To save space I have only included the first one.)

"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","nobody","[10/Aug/2001:19:49:24 -0700]","USER 
anonymous","331","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:25 -0700]","PASS guest () 
here com","230","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:25 -0700]","CWD 
/","250","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:26 -0700]","MKD 
010811125809p","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:26 -0700]","CWD 
/public/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:27 -0700]","CWD 
/pub/incoming/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:27 -0700]","CWD 
/incoming/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:28 -0700]","CWD 
/_vti_pvt/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:28 -0700]","CWD 
/pub/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:29 -0700]","CWD 
/upload/","250","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:29 -0700]","MKD 
010811125813p","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:30 -0700]","CWD 
/~tmp/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:30 -0700]","CWD 
/~temp/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD 
/tmp/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD 
/temp/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD 
/_vti_cfg/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:32 -0700]","CWD 
/_vti_txt/","550","-","-","-"

> -----Original Message-----
> From: Emil Popov [mailto:emo () ds primasoft bg]
> Sent: Monday, August 20, 2001 3:33 AM
> To: incidents () securityfocus com
> Subject: annoying ftp probes
>
>
> Hi,
>
> I have been getting some annoying connections to my ftpd like:
>
> Aug 20 07:58:28 ds ftpd[7527]: connection from
> cc821361-d.vron1.nj.home.com
> Aug 20 07:58:29 ds ftpd[7527]: ANONYMOUS FTP LOGIN FROM
> cc821361-d.vron1.nj.home.com, guest () here com
> Aug 20 07:58:30 ds ftpd[7527]: mkdir 010820012936p
> Aug 19 06:37:34 ds ftpd[20081]: connection from ip-90-202.evc.net
> Aug 19 06:37:35 ds ftpd[20081]: ANONYMOUS FTP LOGIN FROM
> ip-90-202.evc.net, guest () here com
> Aug 19 06:37:36 ds ftpd[20081]: mkdir 010819061100p


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com