Re: ftp scanning

From: jr Reid (unix-freak@excite.com)
Date: 03/30/02 

From: unix-freak@excite.com (jr Reid)
Date: 30 Mar 2002 05:56:19 -0800

Luke Vogel <luke@bell-bird.com.au> wrote in message news:<3CA59AAF.91EC6925@bell-bird.com.au>...
> David Schlecht wrote:
> >
> > Hi All,
> >
> > I run a Linux box behind a firewall. I'm running ProFTP v1.2.
>
> There were vulnerable versions of proftpd 1.2.0pre?
>
> > I've recently tightened down the firewall and started logging
> > failed FTP attempts. I'm absolutely astonished at the number
> > of failed attempts. I must get between 10 and 25 each day.
> >
> > I'm also monitoring port 111 (among others) and get about
> > half as many hits to this port.
> >
> > These don't seem like run-of-the-mill port scans since the the same
> > source IP doesn't usually hit both the ports in question. That's making
> > the brash assumption that the source IPs aren't spoofed.
>
> no, perhaps not, but they may be coming from compromised hosts.
>
> > The FTP server didn't allow anonymous login before so I'm surprised at
> > the amount of traffic.
>
> They are not specifically looking for you ... they scan a whole net
> block looking for vulnerable "targets".
>
> > 1. Any ideas what's going in here?
>
> It is probably a number of skript kiddies (not necessarily related)
> doing a net block scan for a number of vulnerable daemons.
>
> > 2. Would this list of source IPs be of any value to Internet
> > security investigators?
>
> You would be wasting your time and theirs ... it is not illegal to
> perform port scans
>
> --
> Regards
> Luke
> ------
> Q: What does FAQ stand for?
> A: We are Frequently Asked this Question, and we have no idea.
> ------
> C.O.L.S FAQ - http://www.linuxsecurity.com/docs/colsfaq.html
> Note: Remove NOSPAM from my return address if necessary
> ------

True, it's not illegal to port scan, but many ISPs will not tolerate
it. I know that first hand as I too - see many many input DENYs on my
firewall in the course of the day. I've written a script that will
alert me if I have someone scanning me. I then send the log to the
ISP. Many people have had to find another ISP because if this. When a
port probe comes from Israel or Hong Kong....or wherever...then
Hello!!!...Is this node just trying to non-maliciously find out what
friendly services are being offered from my node?...lol.

Relevant Pages

  • Re: [opensuse] Is there a gotomypc like service for ssh?
    ... I have a machine at my parents house that is behind a ISPs firewall. ... I've tried to open up the ssh port in the firewall but it is not ... Maybe the ISP is blocking it even earlier. ...
    (SuSE)
  • Re: Virus cleanup - fix compromised windows firewall settings
    ... Inform your AV vendor about the reinfection and provide them with the binary ... horrible ISP that will take weeks to wipe the box. ... very strict rules on the firewall. ... that open port is still open and grayed out so I can't modify ...
    (microsoft.public.windows.server.security)
  • Re: ftp scanning
    ... > I run a Linux box behind a firewall. ... I'm running ProFTP v1.2. ... > half as many hits to this port. ... Would this list of source IPs be of any value to Internet ...
    (comp.os.linux.security)
  • Re: [opensuse] Is there a gotomypc like service for ssh?
    ... I have a machine at my parents house that is behind a ISPs firewall. ... I've tried to open up the ssh port in the firewall but it is not ... Maybe the ISP is blocking it even earlier. ...
    (SuSE)
  • Re: [opensuse] Is there a gotomypc like service for ssh?
    ... I have a machine at my parents house that is behind a ISPs firewall. ... I've tried to open up the ssh port in the firewall but it is not ... Maybe the ISP is blocking it even earlier. ...
    (SuSE)