Security Incidents mailing list archives

Re: increase in ftp scanning

From: "Baribault, Gary" <gary () baribault net>
Date: Tue, 05 Mar 2002 08:40:33 -0500

I have gotten so many scans from t-dialin.net and wanadoo.fr for FTP andeverything else under the sun that I have /dev/null'ed all their packets. Isent many messages to their abuse@ and to the upstream, gotten many politereplies about how they will take care of it just as soon as they have achance!! I find a new /24 every now and again.


Just block them out! I've attached part of my ipchains.

Gary B

At 12:15 PM 3/4/2002 +0000, quentyn () fotango com wrote:

Has any one else notice a huge increase in ftp scanning over the last
few weeks ( esp the last 2)

Normally I would expect to see 1 scan every few days, but in the last
few weeks it has been several each night

for example (this is from a host with no externally offered services)


Mar  2 15:14:46 TCP: ftp connection attempt from
pD9E55ADF.dip.t-dialin.net
(217.229.90.223):1583
Mar  2 16:42:48 TCP: ftp connection attempt from 213.82.69.34:1309
Mar  2 16:42:51 TCP: ftp connection attempt from 213.82.69.34:1309
Mar  2 16:42:57 TCP: ftp connection attempt from 213.82.69.34:1309
Mar  2 16:43:09 TCP: ftp connection attempt from 213.82.69.34:1309
Mar  2 17:00:54 TCP: ftp connection attempt from
D576EB25.kabel.telenet.be
(213.118.235.37):1479
Mar  2 20:40:42 TCP: ftp connection attempt from 203.43.206.34:21
Mar  2 22:15:53 TCP: ftp connection attempt from www.partcenter.com
(217.31.128.124):21


is this warez kiddies looking for open share or script kiddies looking
for a vulnerable version of wuftp (or similar)?

--
#####################
Quentyn Taylor
Sysadmin - Fotango
#####################
`Naturally, a sysadmin's entire person is holy. We have the power to
kill daemons.'
   Mike Sphar

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Attachment: block.txt
Description:

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

increase in ftp scanning quentyn (Mar 05)
- Re: increase in ftp scanning admin (Mar 05)
- Re: increase in ftp scanning Dragos Ruiu (Mar 05)
- Re: increase in ftp scanning Baribault, Gary (Mar 05)
- <Possible follow-ups>
- RE: increase in ftp scanning Benninghoff, John (Mar 05)
- RE: increase in ftp scanning Ryan Hill (Mar 05)