[Dshield] Top 10 honoree with a fondness for FTP (warez anyone?)

drs. P.B. IJdens p.b.ijdens at nospam.mi4.org.uk
Fri Oct 19 16:00:15 GMT 2001

"Tom Laermans" wrote:
> T-Dialin users come in regularly too, but not as much as that Wanadoo
> user(s)...

Different here. We run a block of 10 ftp servers, and automatically filter
out suspicious connects.

What I noticed is that t-online.de is by far our most frequent 'visitor'...
I attached a small html document with recent suspicious activity.

Top 5:
  1: t-dialin.net          (302 attempts, 30 hosts)
  2: unresolved            (280 attempts)
  3: wanadoo.fr            (40 attempts, from 10 hosts)
  4: aol.com               (30 attempts, from 3 hosts)
  5: telia.com             (20 attempts from 1 host)

Mostly these people try to login as anonymous at microsoft.com,
anonymous at home,com, [Q-Z]gpuser at home.com, etc. Usually creativity of these
scanning programs goes as far as logging in, noticing a stable version of
the server and logging out. Some try more (like the regexp stuff).

I am considering dropping the server ID at connect just to see what the hell
people are thinking off when they check us out :)

If anyone knows that the [Q-Z]gpuser at home.com thing is about (by far the
most popular) let me know.

Below a random log entry (found this on all ten servers) [] UNKNOWN nobody
    [15/Oct/2001:14:59:27 +0200] "USER ftp" 331 -
    [15/Oct/2001:14:59:27 +0200] "PASS mozilla@" 230 -
    [15/Oct/2001:14:59:28 +0200] "SITE EXEC %020d|%.f%.f|" 500 -

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20011019/20316701/scans.htm

More information about the list mailing list