I have also noticed an large increase in anonymous FTP attempts from various IPs. Seems as though they don't care that they're being rejected, they just keep trying then eventually give up. This seems to have ramped up over the past week. This weekend was very high (sorry, I don't have numbers yet). Any insight'd be helpful - I'll check CERT and all...
~Spanky > -----Original Message----- > From: Lorenz Inglin [mailto:[EMAIL PROTECTED]] > Sent: Monday, October 01, 2001 10:57 AM > To: [EMAIL PROTECTED] > Subject: Increasing amount of ftp 'anonymous' attempts > > > Hi > > <Disclaimer> First I want to apologize for my bad english. If > this question > has been posted before (and I missed it), accept my apologies > one more time > :o) </disclaimer> > > Since a few days I can see an increasing number of attempts > to connect to my > ftp-server as anonymous user (which of course is rejected). Different > sources from all over the world. Is there an actual > worm/exploit/other issue > for ftp servers (I run proftp 1.2.1) or any idea why suddenly > the attempts > are increasing? Anything to be worried about? > > One IP also did a stealth scan (according to snort), what do > you think, is > this worth an complaint (isp)? > > Lorenz Inglin > > ----------------- > Some examples: > > Sep 30 06:39:55 svfile proftpd[26373]: svfile > (64.230.106.47[64.230.106.47]) - FTP session opened. > Sep 30 06:39:55 svfile proftpd[26373]: svfile > (64.230.106.47[64.230.106.47]) - no such user 'anonymous' > Sep 30 06:39:55 svfile proftpd[26373]: svfile > (64.230.106.47[64.230.106.47]) - USER anonymous (Login > failed): Can't find > user. > Sep 30 06:39:55 svfile snort[25609]: [1:0:0] IDS364/ftp_ftp-bad-login > [Classification: failed system integrity attempt Priority: 5]: > 192.168.1.2:21 -> 64.230.106.47:3975 > Sep 30 06:39:56 svfile snort[25609]: [1:0:0] IDS364/ftp_ftp-bad-login > [Classification: failed system integrity attempt Priority: 5]: > 192.168.1.2:21 -> 64.230.106.47:3975 > Sep 30 06:39:56 svfile proftpd[26373]: svfile > (64.230.106.47[64.230.106.47]) - FTP session closed. > Sep 30 06:39:56 svfile snort[25609]: [1:0:0] IDS364/ftp_ftp-bad-login > [Classification: failed system integrity attempt Priority: 5]: > 192.168.1.2:21 -> 64.230.106.47:3975 > Sep 30 17:31:35 svfile proftpd[27243]: svfile > (192.118.6.32[192.118.6.32]) - > FTP session opened. > Sep 30 17:31:37 svfile proftpd[27243]: svfile > (192.118.6.32[192.118.6.32]) - > no such user 'anonymous' > Sep 30 17:31:38 svfile proftpd[27243]: svfile > (192.118.6.32[192.118.6.32]) - > USER anonymous (Login failed): Can't find user. > Sep 30 17:31:38 svfile snort[25609]: [1:0:0] IDS364/ftp_ftp-bad-login > [Classification: failed system integrity attempt Priority: 5]: > 192.168.1.2:21 -> 192.118.6.32:15619 > Sep 30 17:31:39 svfile snort[25609]: [1:0:0] IDS364/ftp_ftp-bad-login > [Classification: failed system integrity attempt Priority: 5]: > 192.168.1.2:21 -> 192.118.6.32:15619 > Sep 30 17:31:39 svfile proftpd[27243]: svfile > (192.118.6.32[192.118.6.32]) - > FTP session closed. > Sep 30 17:31:39 svfile snort[25609]: [1:0:0] IDS364/ftp_ftp-bad-login > [Classification: failed system integrity attempt Priority: 5]: > 192.168.1.2:21 -> 192.118.6.32:15619 > Oct 1 04:56:56 svfile proftpd[28227]: svfile > (192.220.128.24[192.220.128.24]) - FTP session opened. > Oct 1 04:56:56 svfile proftpd[28227]: svfile > (192.220.128.24[192.220.128.24]) - FTP session closed. > Oct 1 08:38:30 svfile proftpd[28501]: svfile > (63.205.42.131[63.205.42.131]) - FTP session opened. > Oct 1 08:38:31 svfile proftpd[28501]: svfile > (63.205.42.131[63.205.42.131]) - no such user 'anonymous' > Oct 1 08:38:31 svfile proftpd[28501]: svfile > (63.205.42.131[63.205.42.131]) - USER anonymous (Login > failed): Can't find > user. > Oct 1 08:38:31 svfile snort[28258]: [1:0:0] IDS364/ftp_ftp-bad-login > [Classification: failed system integrity attempt Priority: 5]: > 192.168.1.2:21 -> 63.205.42.131:1687 > Oct 1 08:38:31 svfile snort[28258]: [1:0:0] IDS364/ftp_ftp-bad-login > [Classification: failed system integrity attempt Priority: 5]: > 192.168.1.2:21 -> 63.205.42.131:1687 > Oct 1 08:38:31 svfile proftpd[28501]: svfile > (63.205.42.131[63.205.42.131]) - FTP session closed. > Oct 1 08:38:32 svfile snort[28258]: [1:0:0] IDS364/ftp_ftp-bad-login > [Classification: failed system integrity attempt Priority: 5]: > 192.168.1.2:21 -> 63.205.42.131:1687 > >
