distributed ftp scan

[Russell Fulton <r.fulton () auckland ac nz>]

Early this morning (local time 0500 - UTC+1200) we detected a what
appeared to be a distributed scan of ftp ports.  10 source addresses
were involved and each source scanned addresses going up in steps of 21
addresses.  All started from the same block of 21 addresses. The scan
rates varied between the sources with some probing at the rate of 1
destination address per minute and others at up to 3 per minute.  

They found several ftp servers and several of the sources established
TCP connections to retrieve banners so I don't believe that this was a
decoy scan.

Here is a list of the IPs involved:

 193.92.189.98 195.199.85.93 24.203.213.246 200.207.15.4  212.249.12.194
24.232.88.160 212.72.11.26 62.110.245.69 213.53.232.131 202.84.178.1

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com