annoying ftp probes

From: Emil Popov (emo@ds.primasoft.bg)
Date: 08/20/01 

Date: Mon, 20 Aug 2001 10:33:03 +0000
From: Emil Popov <emo@ds.primasoft.bg>
To: incidents@securityfocus.com
Subject: annoying ftp probes
Message-ID: <20010820103303.A12005@ds.primasoft.bg>

Hi,

I have been getting some annoying connections to my ftpd like:

Aug 20 07:58:28 ds ftpd[7527]: connection from cc821361-d.vron1.nj.home.com
Aug 20 07:58:29 ds ftpd[7527]: ANONYMOUS FTP LOGIN FROM cc821361-d.vron1.nj.home.com, guest@here.com
Aug 20 07:58:30 ds ftpd[7527]: mkdir 010820012936p
Aug 19 06:37:34 ds ftpd[20081]: connection from ip-90-202.evc.net
Aug 19 06:37:35 ds ftpd[20081]: ANONYMOUS FTP LOGIN FROM ip-90-202.evc.net, guest@here.com
Aug 19 06:37:36 ds ftpd[20081]: mkdir 010819061100p

they are comming from various ISP's at random time intervals.
I seems that this is some scanner that searches for world-writable
ftp sites, and since those requests have been comming from *almost*
random hosts, i am only able to cumulatively add whole isp domains
to my hosts.deny. I added a responce line i.e. an instant nmap to those guys,
and up to now my nmap resulted in scanning either the firewall of the isp,
or a windows machine ( win :), they may soon get an automated dos if they keep on :)) ).

So i presume it's i win tool.

Any Idea what the tool is?
Any Idea of a better defence (not that my site is world-writable but anyway..)

Thanks

p.s. There is very famous WarezFTP site in Bulgaria, and i see them getting those same (in format)
directories created, so it really seems like a scanner that just goes aroung mkdir'ing.

p.s.s Sorry for mentioning the un-masked hostnames, but i believe they deserve that.

Emil Popov
Primasoft Ltd.
emo@ds.primasoft.bg

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com