[Dshield] re: Top 10 honoree with a fondness for FTP + more

William Sipila william at osource.com
Fri Oct 19 23:33:54 GMT 2001

i think they look for *anything*.  i've banned them from our webservers
since t-dialin.net & wanadoo.fr used to hit us pretty hard with scans for
cgi/pl/etc; up to every few minutes.  arcor-ip.net is going to be up for
this honor pretty soon too.

the part that gets me is that they would continually scan for same scripts
even after getting a 404.  duh.  it's not going to suddenly appear since it
was last scanned for 20 mins ago.  ;)

speaking of which, many of these scans have a browser string of "Caca".  do
you all think this is a particular tool?  i tried to search for it, but
couldn't find anything -- other than a zillion porn sites.  (sigh)

for example (btw, the destination IP shown is NOT our server...??):
12:54:24 pD951F813.dip.t-dialin.net - GET /index.html - 200 1074 Caca -

also, just a side note/warning, i've been seeing nmap scans against my smtp
port off and on for the last few days.  from snort:

[**] SCAN nmap TCP [**]
10/18-16:59:50.027691 0:0:C5:72:18:2C -> 0:10:5A:9E:BD:F6 type:0x800
len:0x3C -> TCP TTL:47 TOS:0x0 ID:27152 IpLen:20
***A**** Seq: 0xA6  Ack: 0x0  Win: 0x578  TcpLen: 20

	- will

    Lead Developer/SysAdmin, OUTSOURCE Consulting Services, Inc. 
    william at osource.com | www.osource.com 

> Message: 1
> Date: Thu, 18 Oct 2001 12:40:00 -0400
> From: David Allardyce <dave at pod13.com>
> To: dshield at dshield.org
> Subject: [Dshield] Top 10 honoree with a fondness for FTP 
> (warez anyone?)
> Reply-To: dshield at dshield.org
> I am new to this list but I thought this was interesting.  
> The following IPs caught my eye on the Top 10 list.  Looks 
> like someone is looking for warez storage.
> From http://www.dsheild.org/top10.html
> TOP 10
> IP Address Host Name
>   6000/6000   pD95081B3.dip.t-dialin.net
>   5999/5999   pD9054FC7.dip.t-dialin.net
> [SNIP]

More information about the list mailing list