Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

higher then normal anon FTP scanning

From: Silent Bob <phoenix () notwise net>
Date: Mon, 8 Oct 2001 13:24:16 -0500 (CDT)
I havent seen anything about this but in the past week Ive seen a lot
more scripted ftp site scanning, much of it from boxes that have
previously probed with nimda (malicious remote control?) sample log
follows. for the record the anon ftp server here doesnt allow upload
so this is just an annoyance.

Oct  8 13:13:19 notwise ftpd[3125]: USER anonymous
Oct  8 13:13:19 notwise ftpd[3125]: PASS Jgpuser () home com
Oct  8 13:13:19 notwise ftpd[3125]: ANONYMOUS FTP LOGIN FROM
AAnnecy-101-1-4-58.abo.wanadoo.fr [193.251.17.58], Jgpuser () home com
Oct  8 13:13:20 notwise ftpd[3125]: CWD /pub/
Oct  8 13:13:20 notwise ftpd[3125]: MKD 011008201323p
Oct  8 13:13:20 notwise ftpd[3125]: CWD /public/
Oct  8 13:13:21 notwise ftpd[3125]: CWD /pub/incoming/
Oct  8 13:13:21 notwise ftpd[3125]: CWD /incoming/
Oct  8 13:13:22 notwise ftpd[3125]: CWD /_vti_pvt/
Oct  8 13:13:23 notwise ftpd[3125]: CWD /
Oct  8 13:13:23 notwise ftpd[3125]: MKD 011008201326p
Oct  8 13:13:24 notwise ftpd[3125]: CWD /upload/
Oct  8 13:13:24 notwise ftpd[3125]: FTP session closed


-- 
Bob
MCSE Microsoft Certified System Eliminator

The best way to accelerate a windows box is at 9.8 meters per second square.

All your tanks are belong to me.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: