Security Incidents: Re: big increase in ftp scanning

[Gregory A Lundberg <lundberg () VR NET>]

> > i've seen a ton of ftp scans in the last week.
I've seen a few over the past several months.  Mostly one or two sites a
day, two or three days a week.  Frankly, it wasn't enough of an increase
following the hack earlier this year to get me interested.

> > they have come from:
> >
> > 62.226.217.222 (p3EE2D9DE.dip.t-dialin.net)
> > 64.209.232.25 (isengard.iad4.gctr.net)
> > 62.20.37.140 (basecamp.gotland.se)
> > 24.28.122.195 (cs28122-195.houston.rr.com)
> > 24.162.74.203 (cs16274-203.austin.rr.com)
I'm seeing a lot more geographic dispersion, but the clusters are Pacific
rim (mainly China and Japan), and the Pacific coast of US.

> As for these type of scans, looks like they are world wide and are
> mainly targeted at Linux.
My honeypot says most of them are just scanning.  The few that try a crack
are using the broken, published crack instead of taking the time to fix it.
Interestingly, the crack attempts are pretty fairly distributed over the
historical cracks; while the latest is the most common, it's not much more
common that older attacks.  So I'm guessing most of this activity is
clueless script kids.