RE: annoying ftp probes

From: Gregory McCann (cambria@owt.com)
Date: 08/20/01

Previous message: Joris De Donder: "Re: annoying ftp probes"
In reply to: Mark Villanova: "RE: annoying ftp probes"
Next in thread: Skeeve Stevens: "RE: annoying ftp probes"
Next in thread: NESTING, DAVID M (SBCSI): "RE: annoying ftp probes"
Reply: Skeeve Stevens: "RE: annoying ftp probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-ID: <200108201326480630.003D6E8C@smtp.owt.com>
Date: Mon, 20 Aug 2001 13:26:48 -0700
From: "Gregory McCann" <cambria@owt.com>
To: incidents@securityfocus.com
Subject: RE: annoying ftp probes

I've been seeing more aggressive attempts than that here. Here is a recent example. They attempt to CWD to a large number of common ftp directory names. If successful, they try to create a directory there. This user repeated the exact same scan five minutes later. (To save space I have only included the first one.)

"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","nobody","[10/Aug/2001:19:49:24 -0700]","USER anonymous","331","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:25 -0700]","PASS guest@here.com","230","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:25 -0700]","CWD /","250","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:26 -0700]","MKD 010811125809p","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:26 -0700]","CWD /public/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:27 -0700]","CWD /pub/incoming/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:27 -0700]","CWD /incoming/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:28 -0700]","CWD /_vti_pvt/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:28 -0700]","CWD /pub/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:29 -0700]","CWD /upload/","250","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:29 -0700]","MKD 010811125813p","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:30 -0700]","CWD /~tmp/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:30 -0700]","CWD /~temp/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD /tmp/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD /temp/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD /_vti_cfg/","550","-","-","-"
"EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGeR-O","ftp","[10/Aug/2001:19:49:32 -0700]","CWD /_vti_txt/","550","-","-","-"

>-----Original Message-----
>From: Emil Popov [mailto:emo@ds.primasoft.bg]
>Sent: Monday, August 20, 2001 3:33 AM
>To: incidents@securityfocus.com
>Subject: annoying ftp probes
>
>
>Hi,
>
>I have been getting some annoying connections to my ftpd like:
>
>Aug 20 07:58:28 ds ftpd[7527]: connection from
>cc821361-d.vron1.nj.home.com
>Aug 20 07:58:29 ds ftpd[7527]: ANONYMOUS FTP LOGIN FROM
>cc821361-d.vron1.nj.home.com, guest@here.com
>Aug 20 07:58:30 ds ftpd[7527]: mkdir 010820012936p
>Aug 19 06:37:34 ds ftpd[20081]: connection from ip-90-202.evc.net
>Aug 19 06:37:35 ds ftpd[20081]: ANONYMOUS FTP LOGIN FROM
>ip-90-202.evc.net, guest@here.com
>Aug 19 06:37:36 ds ftpd[20081]: mkdir 010819061100p

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Previous message: Joris De Donder: "Re: annoying ftp probes"
In reply to: Mark Villanova: "RE: annoying ftp probes"
Next in thread: Skeeve Stevens: "RE: annoying ftp probes"
Next in thread: NESTING, DAVID M (SBCSI): "RE: annoying ftp probes"
Reply: Skeeve Stevens: "RE: annoying ftp probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]