[unisog] Previous Thread on Increased Probes

Reg Quinton reggers at ist.uwaterloo.ca
Fri Jul 23 18:33:00 GMT 2004


 > Is this what others were seeing, an attack on port 23?  Has anyone
> determined the purpose of this flood?

I am seeing a lot of scans of late for ftp, telnet and ssh. I know the bad
guys are doing password guessing on those services. The ssh probes of late
have been testing for "test" and "guest" accounts. There was some
information about the ftp scanning in the diary at http://isc.sans.org/ I
assume the bad guys are doing the same on telnet.

If you have users with dumb passwords, and who doesn't, the bad guys will
find them. We block finger because we don't want bad guys to enumerate
accounts and then attack what they've enumerated. But finding account names
is easy enough by other means..... spammers have lots of email addresses.





More information about the unisog mailing list