At 07:57 PM 10/01/2001 +0200, Lorenz Inglin wrote: >Since a few days I can see an increasing number of attempts to connect to my >ftp-server as anonymous user (which of course is rejected). Different >sources from all over the world. Is there an actual worm/exploit/other issue >for ftp servers (I run proftp 1.2.1) or any idea why suddenly the attempts >are increasing? Anything to be worried about?
There are issues with older versions of proftpd and wu-ftp. They are several months old by this point, but that never stops the script kiddies from scanning for them. Mostly this manifests itself as portscans on port 21, but I've also recently seen huge numbers of attempts to log on as various non-existant or anonymous accounts. Our MIS department recently claimed there was an exploit out for the FTP service that bundles with IIS 4 and IIS 5, but I haven't seen any information on that anywhere. The recent change it FTP attack patterns may be related. Assuming you kept up with the CERT advisories for proftpd, it's probably nothing to worry about. Of course, that doesn't mean you can't drop a friendly notice to the ISP(s) involved, but I wouldn't expect a whole lot of action to be taken against users trying to log into an FTP server as the standard anonymous user. --K
