RE: ano@ano.com ftpd dip.t-dialin.net

From: Bojan Zdrnja <Bojan.Zdrnja(at)FER.hr>
Date: Fri Nov 08 2002 - 02:42:49 EST

> -----Original Message-----
> From: Moo [mailto:fras@nbnet.nb.ca]
> Sent: 6. studeni 2002 22:44
> To: Owen McCusker; incidents@securityfocus.com
> Subject: Re: ano@ano.com ftpd dip.t-dialin.net
>
>
> On November 6, 2002 09:50 pm, Owen McCusker wrote:

I think you are (partially :) right.
This is probably some automated tool which scans available anonymous ftp servers and uploads a file to it.
As far as I can see, they usually use 1000000 bytes file to do a speed test, at least that was the case on servers I manage. In this case I believe they are looking only for "open" anonymous ftp servers as (in this case) they transfer only small files which are not enough to test speed, and from dial-up/DSL lines.
Speed testing is usually done to some other server (which they already found) which is on a fast line.

I get loads of anonymous ftp connects on my ftp server, although anonymous login is forbidden. Logs are like this one:

Nov 8 08:06:52 my_server proftpd[10693]: my_server (213-140-20-183.fastres.net[213.140.20.183]) - FTP session opened. Nov 8 08:06:52 my_server proftpd[10693]: my_server (213-140-20-183.fastres.net[213.140.20.183]) - no such user 'anonymous' Nov 8 08:06:52 my_server proftpd[10693]: my_server (213-140-20-183.fastres.net[213.140.20.183]) - FTP session closed.

I'd recommend closing anonymous logins (unless you *really* need it) and using tcp wrappers on ftp server to deny connections.

Best regards,

Bojan Zdrnja

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sat Nov 9 06:40:16 2002