Security Incidents mailing list archives

Re: ProFTPD Scan?

From: Mike Stilson <mstilson () HOME COM>
Date: Wed, 14 Mar 2001 15:11:08 -0500

On Mon, Mar 12, 2001 at 12:28:42PM -0500, Kurth Bemis wrote:

I found these in todays logs - notice the times "15:32:13"  thats four hits
at the same time. and then two at a different time.  Looks like a DoS
attempt to (although i've been known to have been wrong).

In today's logs.

Mar 12 15:30:28 trinity proftpd[19132]: trinity
(AVelizy-101-1-2-117.abo.wanadoo.fr[193.253.200.117]) - USER ftp (Login
failed): Can't find user.

 <snip>

Another log from abo.wanadoo.fr.  He didn't do any damage, but managed to check
my ftp directory while I was changing some things over.

AStrasbourg-201-1-4-7.abo.wanadoo.fr UNKNOWN nobody [13/Mar/2001:16:16:34 -0500] "USER anonymous" 331 -
AStrasbourg-201-1-4-7.abo.wanadoo.fr UNKNOWN ftp [13/Mar/2001:16:16:34 -0500] "PASS guest () here com" 230 -
AStrasbourg-201-1-4-7.abo.wanadoo.fr UNKNOWN ftp [13/Mar/2001:16:16:35 -0500] "CWD /pub/" 550 -
AStrasbourg-201-1-4-7.abo.wanadoo.fr UNKNOWN ftp [13/Mar/2001:16:16:35 -0500] "CWD /public/" 550 -
AStrasbourg-201-1-4-7.abo.wanadoo.fr UNKNOWN ftp [13/Mar/2001:16:16:35 -0500] "CWD /pub/incoming/" 550 -
AStrasbourg-201-1-4-7.abo.wanadoo.fr UNKNOWN ftp [13/Mar/2001:16:16:35 -0500] "CWD /incoming/" 250 -
AStrasbourg-201-1-4-7.abo.wanadoo.fr UNKNOWN ftp [13/Mar/2001:16:16:36 -0500] "MKD 010313221133p" 257 -
AStrasbourg-201-1-4-7.abo.wanadoo.fr UNKNOWN ftp [13/Mar/2001:16:16:36 -0500] "RMD 010313221133p" 250 -
AStrasbourg-201-1-4-7.abo.wanadoo.fr UNKNOWN ftp [13/Mar/2001:16:16:36 -0500] "SYST " 215 -
AStrasbourg-201-1-4-7.abo.wanadoo.fr UNKNOWN ftp [13/Mar/2001:16:16:36 -0500] "REST 1" 350 -
AStrasbourg-201-1-4-7.abo.wanadoo.fr UNKNOWN ftp [13/Mar/2001:16:16:36 -0500] "PASV " 227 -
AStrasbourg-201-1-4-7.abo.wanadoo.fr UNKNOWN ftp [13/Mar/2001:16:16:37 -0500] "PORT 216,25,117,6,1,21" 500 -
AStrasbourg-201-1-4-7.abo.wanadoo.fr UNKNOWN ftp [13/Mar/2001:16:16:37 -0500] "CWD 
ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp 
pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp"
550 -


Mail sent, but I've never had any response from them before so I don't expect
one this time either.

Current thread:

ProFTPD Scan? Kurth Bemis (Mar 12)
- Re: ProFTPD Scan? Janek Shein (Mar 12)
- Re: ProFTPD Scan? X (Mar 12)
- Re: ProFTPD Scan? Jose Nazario (Mar 12)
- Re: ProFTPD Scan? Steven J. Hill (Mar 13)
  - Re: ProFTPD Scan? Kurth Bemis (Mar 14)
  - Re: ProFTPD Scan? Rik van Riel (Mar 20)
- Re: ProFTPD Scan? Mike Stilson (Mar 14)
- <Possible follow-ups>
- Re: ProFTPD Scan? Guillaume.COURTOIS (Mar 15)