Security Incidents: RE: ano () ano com ftpd dip.t-dialin.net

["Bojan Zdrnja" <Bojan.Zdrnja () FER hr>]

> -----Original Message-----
> From: Moo [mailto:fras () nbnet nb ca]
> Sent: 6. studeni 2002 22:44
> To: Owen McCusker; incidents () securityfocus com
> Subject: Re: ano () ano com ftpd dip.t-dialin.net
>
>
> On November 6, 2002 09:50 pm, Owen McCusker wrote:
> well they could be doing speed tests on your site to see if
> they want to use
> it as PUB distro for warez.
I think you are (partially :) right.
This is probably some automated tool which scans available anonymous ftp
servers and uploads a file to it.
As far as I can see, they usually use 1000000 bytes file to do a speed test,
at least that was the case on servers I manage. In this case I believe they
are looking only for "open" anonymous ftp servers as (in this case) they
transfer only small files which are not enough to test speed, and from
dial-up/DSL lines.
Speed testing is usually done to some other server (which they already
found) which is on a fast line.

I get loads of anonymous ftp connects on my ftp server, although anonymous
login is forbidden. Logs are like this one:

Nov  8 08:06:52 my_server proftpd[10693]: my_server
(213-140-20-183.fastres.net[213.140.20.183]) - FTP session opened.
Nov  8 08:06:52 my_server proftpd[10693]: my_server
(213-140-20-183.fastres.net[213.140.20.183]) - no such user 'anonymous'
Nov  8 08:06:52 my_server proftpd[10693]: my_server
(213-140-20-183.fastres.net[213.140.20.183]) - FTP session closed.

I'd recommend closing anonymous logins (unless you *really* need it) and
using tcp wrappers on ftp server to deny connections.

Best regards,

Bojan Zdrnja


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com