[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] Is this coincidence or what - FTP Scans

proftpd[26249]: xxx.xx.xx.x(ALille-201-2-2-141.abo.wanadoo.fr[193.252.194.141]) - FTP session opened.
proftpd[26249]: xxx.xx.xx.x(ALille-201-2-2-141.abo.wanadoo.fr[193.252.194.141]) - FTP session closed.
I get hit from wanadoo as well. When the logs say FTP session opened and then closed right after it, are they making a connection in? I have annonymous FTP turn off... 

Any words of advice?






From: David Lucas <david@xxxxxxxxxxxxxxxx>
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-security] Is this coincidence or what - FTP Scans
Date: Tue, 16 Oct 2001 23:16:08 -0500

At 10:46 PM 10/16/2001, you wrote:


>(pD9526130.dip.t-dialin.net[217.82.97.48]) - USER anonymous
>(Login failed): Can't find user. Oct 16 04:40:59 ns
>proftpd[3308]: xxxxxxxxxx
>(pD9526130.dip.t-dialin.net[217.82.97.48]) - USER anonymous
>(Login failed): Can't find user. Oct 16 04:40:59 ns
>proftpd[3305]: xxxxxxxxxx

This is the same IP and Network that scans my raq4r on a daily basis.
Perhaps they like scanning and attempting ftp login on Aussies and
Kiwi's.

I have not had any malicious damage from them (that I can see)

Regards (from Australia)
Tim Lawson


The two most common I see are dip.t-dialin.net and abo.wanadoo.fr
I get some of the same ips and some different.  But them over and over.

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security



_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp