Re: annoying ftp probes
From: Mike Eheler (meheler@searchbc.com)Date: 08/20/01
- Previous message: Jason Spence: "Re: annoying ftp probes"
- In reply to: Jason Spence: "Re: annoying ftp probes"
- Next in thread: Mark Villanova: "RE: annoying ftp probes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3B8100F2.2040909@searchbc.com> Date: Mon, 20 Aug 2001 12:22:10 +0000 From: Mike Eheler <meheler@searchbc.com> To: Jason Spence <thalakan@technologist.com> Subject: Re: annoying ftp probes
It wouldn't be tough to create something like that, anyways. I bet it's
just part of some "war" IRC script, or something. Seems to create a
directory with a yymmddhhmmss time stamp, then probably logs the
successes. It doesn't seem to be a very adept script, either, as it only
seems to try the home dir.
I've seen the attempted probes even on my personal ftp server at home,
of course I don't allow anonymous connections, but I opened it once when
someone was connecting just to see what they wanted, and it was exactly
this.
Very interesting, indeed. There's no point blocking individual IP's or
hostnames (since, with some dynamic services, like dialup, you'd be
blocking some innocent users as well). I think the best remedy is just
to not allow write access to anon, except in an "incoming" dir or whatever.
Mike
Jason Spence wrote:
>On Mon, Aug 20, 2001 at 10:33:03AM +0000, Emil Popov said:
>
>>Hi,
>>
>>I have been getting some annoying connections to my ftpd like:
>>
>>Aug 20 07:58:28 ds ftpd[7527]: connection from cc821361-d.vron1.nj.home.com
>>Aug 20 07:58:29 ds ftpd[7527]: ANONYMOUS FTP LOGIN FROM cc821361-d.vron1.nj.home.com, guest@here.com
>>Aug 20 07:58:30 ds ftpd[7527]: mkdir 010820012936p
>>Aug 19 06:37:34 ds ftpd[20081]: connection from ip-90-202.evc.net
>>Aug 19 06:37:35 ds ftpd[20081]: ANONYMOUS FTP LOGIN FROM ip-90-202.evc.net, guest@here.com
>>Aug 19 06:37:36 ds ftpd[20081]: mkdir 010819061100p
>>
>
>I've been seeing the same thing, although with different anonymous
>passwords and directories being created. My honeypot is currently
>being fought over by a couple k1dd3s who just learned about rmdir and
>are trying to wipe each other's warez from the box.
>
>>they are comming from various ISP's at random time intervals. I
>>seems that this is some scanner that searches for world-writable ftp
>>sites, and since those requests have been comming from *almost*
>>random hosts, i am only able to cumulatively add whole isp domains
>>to my hosts.deny. I added a responce line i.e. an instant nmap to
>>those guys, and up to now my nmap resulted in scanning either the
>>firewall of the isp, or a windows machine ( win :), they may soon
>>get an automated dos if they keep on :)) ).
>>
>>So i presume it's i win tool.
>>
>
>Yeah, I've noticed that they're all on windows boxes.
>
>>Any Idea what the tool is?
>>Any Idea of a better defence (not that my site is world-writable but anyway..)
>>
>
>Dunno, but it's not showing up in the first few pages of a search for
>"anonymous ftp scanner" on Google.
>
> - Jason
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com
>
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Jason Spence: "Re: annoying ftp probes"
- In reply to: Jason Spence: "Re: annoying ftp probes"
- Next in thread: Mark Villanova: "RE: annoying ftp probes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
