Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: annoying ftp probes

From: "NESTING, DAVID M (SBCSI)" <dn3723 () sbc com>
Date: Mon, 20 Aug 2001 14:50:57 -0500
I get a ton of these pretty regularly, and it doesn't appear targeted at
"me" specifically.  I have a number of systems logging to a central syslog
daemon, and I will see FTP connection attempts on all of my systems
virtually simultaneously.  This tells me they're scanning netblocks for open
FTP servers (likely parallelized, but still reasonably sequential).  A
decently configured IDS could detect this and block the offender from
further accesses.

I do occasionally have clients on IRC when this happens, but I am never able
to correlate any scan with any user that's been on IRC at any time in the
previous month.  They're probably just plugging in huge netblocks and
letting it run overnight.

Classic script kiddie tool.

David

-----Original Message-----
From: Mike Eheler [mailto:meheler () searchbc com]
Sent: Monday, August 20, 2001 7:22
To: Jason Spence
Cc: incidents () securityfocus com
Subject: Re: annoying ftp probes

It wouldn't be tough to create something like that, anyways. I bet it's 
just part of some "war" IRC script, or something. 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: