Re: big increase in ftp scanning

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

On Mon, 30 Oct 2000 13:15:05 -0500 Gregory A Lundberg <lundberg () VR NET>
wrote:
> My honeypot says most of them are just scanning.  The few that try a crack
> are using the broken, published crack instead of taking the time to fix it.
> Interestingly, the crack attempts are pretty fairly distributed over the
> historical cracks; while the latest is the most common, it's not much more
> common that older attacks.  So I'm guessing most of this activity is
> clueless script kids.

Snort running here confirms this pattern.

One thing has changed.  A year or two back we would see a scan from
some address and then half an hour later exploit attempts.  Now we
almost never see exploit attempts from the same addresses as scans.

Exploit attempts are rare (I would guess one for ever 10 ftp scans we
detect) and they usually come 'out of the blue'.  i.e. No previous
traffic from the address just single or occasionaly a bunch of session
to a single target.

My guess as to what is happening is that the scanning is done from
machines that the crackers are willing to sacrifice since it is a high
profile activity.   Vast ranges of IP space are scanned. The scan logs
are collected, analyzed and targets selected on some other system and
the chosen targets are hit from yet another IP address.  If the
compromise succeeds the telnet session often comes from a third IP.

We often see Linux exploits being tried against our SUNs which
reinforces the notion that most of the activity is from clueless
kiddies.

Cheers, Russell.