Attempted FTP script based attack.....

G'day.

Had our whole IP block ftp portscanned today by 212.170.17.235

inetnum: 212.170.0.0 - 212.170.15.255
netname: TTDNET
descr: Telefonica Data Espana (NCC#1999085999 )
descr: Red de servicios IP
descr: Spain
country: ES
admin-c: IM2505-RIPE
tech-c: IM2505-RIPE
status: ASSIGNED PA
mnt-by: MAINT-AS3352

The 2 active ftp servers generated these logs......

314638 09/06/00 09:32:45 ftp-proxy[669] No access to command MKD . BJBZ
 from 212.170.17.235
314648 09/06/00 09:32:50 ftp-proxy[670] No access to command MKD . BJBZ
 from 212.170.17.235
314658 09/06/00 09:32:51 ftp-proxy[670] No access to command MKD . BJBZ
 from 212.170.17.235
314668 09/06/00 09:32:55 ftp-proxy[669] No access to command MKD . BJBZ
 from 212.170.17.235
314678 09/06/00 09:32:56 ftp-proxy[669] No access to command MKD . BJBZ
 from 212.170.17.235
314698 09/06/00 09:32:58 ftp-proxy[669] No access to command MKD . BJBZ
 from 212.170.17.235
314708 09/06/00 09:32:58 ftp-proxy[670] No access to command MKD . BJBZ
 from 212.170.17.235

Looks like an automated script to create a hidden directory, perhaps for warez or
rootkit installation.

Anyone recognize the script that is involved???

Thanks,

Andrew

--
Andrew Cogger                                andrew_at_innovonics.com.au
Electronics & Software Engineer              www.innovonics.com.au
Innovonics Pty Ltd                           Ph +61 3 9326 7922
121 Arden Street                             Fx +61 3 9326 7988
North Melbourne                              Mb 0413 437 461
VIC     3051                                 PGP Key ID: 0xC546109D
Australia