Re: annoying ftp probes

From: Jason Spence (thalakan@technologist.com)
Date: 08/20/01 

Date: Mon, 20 Aug 2001 11:20:08 -0700
From: Jason Spence <thalakan@technologist.com>
To: incidents@securityfocus.com
Subject: Re: annoying ftp probes
Message-ID: <20010820112008.A19124@graendal.prime.mip>

On Mon, Aug 20, 2001 at 10:33:03AM +0000, Emil Popov said:
> Hi,
>
> I have been getting some annoying connections to my ftpd like:
>
> Aug 20 07:58:28 ds ftpd[7527]: connection from cc821361-d.vron1.nj.home.com
> Aug 20 07:58:29 ds ftpd[7527]: ANONYMOUS FTP LOGIN FROM cc821361-d.vron1.nj.home.com, guest@here.com
> Aug 20 07:58:30 ds ftpd[7527]: mkdir 010820012936p
> Aug 19 06:37:34 ds ftpd[20081]: connection from ip-90-202.evc.net
> Aug 19 06:37:35 ds ftpd[20081]: ANONYMOUS FTP LOGIN FROM ip-90-202.evc.net, guest@here.com
> Aug 19 06:37:36 ds ftpd[20081]: mkdir 010819061100p

I've been seeing the same thing, although with different anonymous
passwords and directories being created. My honeypot is currently
being fought over by a couple k1dd3s who just learned about rmdir and
are trying to wipe each other's warez from the box.

> they are comming from various ISP's at random time intervals. I
> seems that this is some scanner that searches for world-writable ftp
> sites, and since those requests have been comming from *almost*
> random hosts, i am only able to cumulatively add whole isp domains
> to my hosts.deny. I added a responce line i.e. an instant nmap to
> those guys, and up to now my nmap resulted in scanning either the
> firewall of the isp, or a windows machine ( win :), they may soon
> get an automated dos if they keep on :)) ).
>
> So i presume it's i win tool.

Yeah, I've noticed that they're all on windows boxes.

> Any Idea what the tool is?
> Any Idea of a better defence (not that my site is world-writable but anyway..)

Dunno, but it's not showing up in the first few pages of a search for
"anonymous ftp scanner" on Google.

 - Jason

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: annoying ftp probes
    ... Subject: annoying ftp probes ... just part of some "war" IRC script, ... I've seen the attempted probes even on my personal ftp server at home, ... >This list is provided by the SecurityFocus ARIS analyzer service. ...
    (Incidents)
  • Re: annoying ftp probes
    ... Subject: annoying ftp probes ... > Is this a production ftp server, ... > and turning on your ftp server only when you need it. ...
    (Incidents)
  • Solution: Successful FTP over SSH to Windows FTP machine behind Firewall/Gateway
    ... This is cumbersome, and requires passive ftp, but it works! ... So you have a Windows machine in office LAN #1, ... Linux firewall/gateways running SSH daemons. ...
    (comp.security.ssh)
  • Re: Running java programs in VMS
    ... I thought I had solved it - when I got the class bak to my Windows machine ... using FTP, its filename was all lower case, rather than 'camel case'. ...
    (comp.os.vms)
  • Re: setting up a web server in a low security env
    ... I usually revert to using ftp for transferring files from ... > a windows machine. ... only), and 2.6 kernel based systems can use any of smbfs, cifs, or ... been numbered yet) Linux Kernel. ...
    (Fedora)