RE: annoying ftp probes

From: NESTING, DAVID M (SBCSI) (dn3723@sbc.com)
Date: 08/20/01 

Message-ID: <B165A21236E7D411A8B90002A52C5871E49CDA@msgstl08.sbc.com>
From: "NESTING, DAVID M (SBCSI)" <dn3723@sbc.com>
To: "'incidents@securityfocus.com'" <incidents@securityfocus.com>
Subject: RE: annoying ftp probes
Date: Mon, 20 Aug 2001 14:50:57 -0500

I get a ton of these pretty regularly, and it doesn't appear targeted at
"me" specifically. I have a number of systems logging to a central syslog
daemon, and I will see FTP connection attempts on all of my systems
virtually simultaneously. This tells me they're scanning netblocks for open
FTP servers (likely parallelized, but still reasonably sequential). A
decently configured IDS could detect this and block the offender from
further accesses.

I do occasionally have clients on IRC when this happens, but I am never able
to correlate any scan with any user that's been on IRC at any time in the
previous month. They're probably just plugging in huge netblocks and
letting it run overnight.

Classic script kiddie tool.

David

-----Original Message-----
From: Mike Eheler [mailto:meheler@searchbc.com]
Sent: Monday, August 20, 2001 7:22
To: Jason Spence
Cc: incidents@securityfocus.com
Subject: Re: annoying ftp probes

It wouldn't be tough to create something like that, anyways. I bet it's
just part of some "war" IRC script, or something.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com