RE: annoying ftp probes
From: Skeeve Stevens (skeeve@skeeve.org)Date: 08/26/01
- Previous message: Dean Cunningham: "Teddi Trojan - New?"
- In reply to: Gregory McCann: "RE: annoying ftp probes"
- Next in thread: NESTING, DAVID M (SBCSI): "RE: annoying ftp probes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Skeeve Stevens" <skeeve@skeeve.org> To: <incidents@securityfocus.com> Subject: RE: annoying ftp probes Date: Sun, 26 Aug 2001 20:37:31 +1000 Message-ID: <05fa01c12e1b$1cf7c880$026712cb@InDeusInvenioVeritas>
With this particular incident... send an email to abuse@telstra.com with
this log and they will kick the person... TMNS is Telstra Managed
Network Services, and it looks like that particular link is a Cable
connection.
...Skeeve
> -----Original Message-----
> From: Gregory McCann [mailto:cambria@owt.com]
> Sent: Tuesday, August 21, 2001 6:27 AM
> To: incidents@securityfocus.com
> Cc: Mark Villanova; emo@ds.primasoft.bg
> Subject: RE: annoying ftp probes
>
>
> I've been seeing more aggressive attempts than that here.
> Here is a recent example. They attempt to CWD to a large
> number of common ftp directory names. If successful, they
> try to create a directory there. This user repeated the
> exact same scan five minutes later. (To save space I have
> only included the first one.)
>
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","nobody","[10/Aug/2001:19:49:24 -0700]","USER
> anonymous","331","-","-","-"
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:25 -0700]","PASS
> guest@here.com","230","-","-","-"
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:25 -0700]","CWD
> /","250","-","-","-"
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:26 -0700]","MKD
> 010811125809p","550","-","-","-"
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:26 -0700]","CWD
> /public/","550","-","-","-"
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:27 -0700]","CWD
> /pub/incoming/","550","-","-","-"
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:27 -0700]","CWD
> /incoming/","550","-","-","-"
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:28 -0700]","CWD
> /_vti_pvt/","550","-","-","-"
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:28 -0700]","CWD
> /pub/","550","-","-","-"
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:29 -0700]","CWD
> /upload/","250","-","-","-"
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:29 -0700]","MKD
> 010811125813p","550","-","-","-"
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:30 -0700]","CWD
> /~tmp/","550","-","-","-"
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:30 -0700]","CWD
> /~temp/","550","-","-","-"
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD
> /tmp/","550","-","-","-"
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD
> /temp/","550","-","-","-"
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:31 -0700]","CWD
> /_vti_cfg/","550","-","-","-"
> "EHPP-p-203-54-74-21.prem.tmns.net.au","203.54.74.21","O-TaGGe
> R-O","ftp","[10/Aug/2001:19:49:32 -0700]","CWD
> /_vti_txt/","550","-","-","-"
>
> >-----Original Message-----
> >From: Emil Popov [mailto:emo@ds.primasoft.bg]
> >Sent: Monday, August 20, 2001 3:33 AM
> >To: incidents@securityfocus.com
> >Subject: annoying ftp probes
> >
> >
> >Hi,
> >
> >I have been getting some annoying connections to my ftpd like:
> >
> >Aug 20 07:58:28 ds ftpd[7527]: connection from
> >cc821361-d.vron1.nj.home.com Aug 20 07:58:29 ds ftpd[7527]:
> ANONYMOUS
> >FTP LOGIN FROM cc821361-d.vron1.nj.home.com, guest@here.com
> >Aug 20 07:58:30 ds ftpd[7527]: mkdir 010820012936p
> >Aug 19 06:37:34 ds ftpd[20081]: connection from ip-90-202.evc.net
> >Aug 19 06:37:35 ds ftpd[20081]: ANONYMOUS FTP LOGIN FROM
> >ip-90-202.evc.net, guest@here.com
> >Aug 19 06:37:36 ds ftpd[20081]: mkdir 010819061100p
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer
> service. For more information on this free incident handling,
> management
> and tracking system please see: http://aris.securityfocus.com
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Dean Cunningham: "Teddi Trojan - New?"
- In reply to: Gregory McCann: "RE: annoying ftp probes"
- Next in thread: NESTING, DAVID M (SBCSI): "RE: annoying ftp probes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
