Security Incidents: Re: FTP connection attempts

[Chris.Adams () UK WORLDONLINE COM (Chris Adams)]

Looks to me like someone with an ftp program that auto retries. Such as
Terrapin FTP.

If you don't support anonymous logins and the FTP client is set to login as
anonymous, it'll keep retrying every time your ftp server closes the
connection for invalid login.

With programs that do this you can rack up an awful lot of connection
attempts in the space of a few minutes.

That's my gut feeling anyway.

Chris.

-----Original Message-----
From: JF Prieur [mailto:jfp51 () EBEING COM]
Sent: 23 March 2000 22:03
To: INCIDENTS () SECURITYFOCUS COM
Subject: FTP connection attempts

Hello,

Being a relative newbie to the security scene, I have had this person trying
to log in to our ftp server for a few hours now. Now I don't want to be
overly paranoid but is this someone just trying to log in or are there any
other sinister things I should be worrying about:

Running Serv-U FTP 2.5d on NT 4/sp6a

Excerpt from log file:
[5] Thu 23Mar00 12:18:10 - (000043) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:18:12 - (000043) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:18:17 - (000043) Closing connection
[5] Thu 23Mar00 12:18:19 - (000044) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:18:19 - (000044) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:18:29 - (000044) Closing connection
[5] Thu 23Mar00 12:18:34 - (000045) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:18:34 - (000045) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:18:40 - (000045) Closing connection
[5] Thu 23Mar00 12:18:45 - (000046) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:18:45 - (000046) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:18:52 - (000046) Closing connection
[5] Thu 23Mar00 12:18:57 - (000047) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:18:57 - (000047) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:19:05 - (000047) Closing connection
[5] Thu 23Mar00 12:19:07 - (000048) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:19:07 - (000048) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:19:13 - (000048) Closing connection
[5] Thu 23Mar00 12:19:29 - (000049) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:19:29 - (000049) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:19:36 - (000049) Closing connection
[5] Thu 23Mar00 12:19:41 - (000050) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:19:41 - (000050) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:19:52 - (000050) Closing connection
[5] Thu 23Mar00 12:19:58 - (000051) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:19:58 - (000051) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:20:10 - (000051) Closing connection
[5] Thu 23Mar00 12:20:16 - (000052) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:20:16 - (000052) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:20:31 - (000052) Closing connection
[5] Thu 23Mar00 12:20:38 - (000053) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:20:38 - (000053) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:20:50 - (000053) Closing connection
[5] Thu 23Mar00 12:20:56 - (000054) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:20:56 - (000054) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:21:04 - (000054) Closing connection
[5] Thu 23Mar00 12:21:10 - (000055) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:21:10 - (000055) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:21:18 - (000055) Closing connection
[5] Thu 23Mar00 12:21:20 - (000056) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:21:20 - (000056) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:21:33 - (000056) Closing connection
[5] Thu 23Mar00 12:21:40 - (000057) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:21:40 - (000057) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:22:14 - (000058) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:22:14 - (000058) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:22:18 - (000057) Closing connection
[5] Thu 23Mar00 12:22:25 - (000058) Closing connection
[5] Thu 23Mar00 12:22:31 - (000059) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:22:31 - (000059) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:22:41 - (000059) Closing connection
[5] Thu 23Mar00 12:22:44 - (000060) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:22:44 - (000060) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:22:53 - (000060) Closing connection
[5] Thu 23Mar00 12:22:58 - (000061) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:22:58 - (000061) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:23:06 - (000061) Closing connection
[5] Thu 23Mar00 12:23:09 - (000062) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:23:09 - (000062) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:23:18 - (000062) Closing connection
[5] Thu 23Mar00 12:23:22 - (000063) Connected to 193.68.10.73 (Local address
10.x.x.x)
[5] Thu 23Mar00 12:23:22 - (000063) IP-Name: RAZGRAD73.PIP.DIGSYS.BG
[5] Thu 23Mar00 12:23:28 - (000063) Closing connection

and on and on. I've blacklisted 193.68.10.* and anyways, I don't allow
anonymous connections. Should I be doing anything else? I fired off an email
to digsys.bg

Thanks
JF Prieur, MCSE
Benevolent Network Dictator
e being communications inc.

The year before I was born we walked on the moon,
now 31 years later it is considered a modern feat of
science to grow tomatos in low earth orbit.