[unisog] lots of ftp on March 12?

Peter Van Epp vanepp at sfu.ca
Thu Mar 14 03:46:18 GMT 2002


	The natives do seem to have been restless yesterday OK. From midnight
to midnight all of these folks scanned one or more of our class Cs (no 
particular activity on our class B, it was all in our various C ranges) for 
ftp:

64.231.92.19
67.81.163.108
213.26.63.195
211.114.59.145
193.120.211.29
80.134.17.223
213.198.148.130
80.14.78.238
217.230.100.12
67.40.41.141
61.59.19.61
217.136.110.208

	I'm not sure if this is abnormal or not because on any given day I can
usually find 15 to 20 port scans in the argus logs if I look for them. I 
haven't detected any problems in the last couple of weeks though (there were
a handful of compromises a couple of weeks ago, most of whom are still trying
to regain their network connection ...)
	I did come across what I believe is the same radio station program that
Andrew reported on a number of weeks ago that was happily using our (large)
bandwith to redistribute itself to a wide range of other folks about the 
net on Monday (quickly shut down when the user was notified they were serving
half the net as well as themselves :-)). A gigabyte of traffic in 3 or 4 hours
showed up quite well in the traffic report.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


> 
> 
> Did anyone else see _lots_ of ftp probes yesterday (March 12th)?
> We've got what appear to be coordinated scans of one of our class Bs
> from about 10 external hosts.  Weird.  AFACIT, there wasn't
> anything special about the probes...
> 
> 
> Pat Wilson
> Network Security Manager
> UCSD ACS/Network Operations
> paw at ucsd.edu
> 6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015
> 



More information about the unisog mailing list