RE: [cobalt-security] Is this coincidence or what - FTP Scans

[Graeme Fowler <graeme.fowler@xxxxxxxxxxxxxx>]

Simon Wilson wrote:
> I also get a lot of scans and most ftp connections from 
> dip.t-dialin.net and wanadoo. If this is widespread, can
> we not collectively do something about it? Both
> dip.t-dialin.net and wanadoo ignore (or at least 
> don't acknowledge) reports of this, even if you complain
> that they are repeated attempts (I don't bother with
> reporting unless the offender repeatedly does it).

It's all automated. Welcome to the land of broadband - Deutsche Telekom and
many other European providers have gone for ADSL in a big way, and sadly
there are a lot of leeches out there who are making damn good use of it.

There's a program kicking around - I forget what it's called - which scans
netblocks for FTP, attempts anonymous connections, if it gets one it
immediately tries a one or two megabyte upload and again, if successful it
reports back into a table with all the speeds.

The operator then picks a machine and uploads all manner of crap to it -
DivX/VCD videos, porn, W4r3z and so on. They then 'privately' advertise this
to other leeches over IRC and suddenly: BOOM - your data transfer goes
through the roof.

It affects Windows machines running IIS FTP service mainly, because
out-of-the-box it has Anonymous access enabled. Out-of-the-box, the default
FTPRoot directory is world writeable. You work it out ;-)

Just ignore it. Or at least, grow to tolerate it, because you'll be seeing
more of it in future :(

Graeme
-- 
Graeme Fowler
System Administrator
Host Europe Group PLC