[Dshield] Top 10 honoree with a fondness for FTP (warez anyone?)
drs. P.B. IJdens
p.b.ijdens at nospam.mi4.org.uk
Fri Oct 19 16:00:15 GMT 2001
"Tom Laermans" wrote:
> T-Dialin users come in regularly too, but not as much as that Wanadoo
Different here. We run a block of 10 ftp servers, and automatically filter
out suspicious connects.
What I noticed is that t-online.de is by far our most frequent 'visitor'...
I attached a small html document with recent suspicious activity.
1: t-dialin.net (302 attempts, 30 hosts)
2: unresolved (280 attempts)
3: wanadoo.fr (40 attempts, from 10 hosts)
4: aol.com (30 attempts, from 3 hosts)
5: telia.com (20 attempts from 1 host)
Mostly these people try to login as anonymous at microsoft.com,
anonymous at home,com, [Q-Z]gpuser at home.com, etc. Usually creativity of these
scanning programs goes as far as logging in, noticing a stable version of
the server and logging out. Some try more (like the regexp stuff).
I am considering dropping the server ID at connect just to see what the hell
people are thinking off when they check us out :)
If anyone knows that the [Q-Z]gpuser at home.com thing is about (by far the
most popular) let me know.
Below a random log entry (found this on all ten servers)
126.96.36.199 [188.8.131.52] UNKNOWN nobody
[15/Oct/2001:14:59:27 +0200] "USER ftp" 331 -
[15/Oct/2001:14:59:27 +0200] "PASS mozilla@" 230 -
[15/Oct/2001:14:59:28 +0200] "SITE EXEC %020d|%.f%.f|" 500 -
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the list