Return-Path: <sentto-279987-4064-1008361379-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Fri, 14 Dec 2001 12:26:07 -0800 (PST) Received: (qmail 8549 invoked by uid 510); 14 Dec 2001 20:23:12 -0000 Received: from n23.groups.yahoo.com (216.115.96.73) by all.net with SMTP; 14 Dec 2001 20:23:12 -0000 X-eGroups-Return: sentto-279987-4064-1008361379-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.188] by n23.groups.yahoo.com with NNFMP; 14 Dec 2001 20:22:59 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_1_2); 14 Dec 2001 20:22:59 -0000 Received: (qmail 6549 invoked from network); 14 Dec 2001 20:22:59 -0000 Received: from unknown (216.115.97.172) by m2.grp.snv.yahoo.com with QMQP; 14 Dec 2001 20:22:59 -0000 Received: from unknown (HELO red.all.net) (12.232.125.69) by mta2.grp.snv.yahoo.com with SMTP; 14 Dec 2001 20:22:59 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fBEKNkA12732 for iwar@onelist.com; Fri, 14 Dec 2001 12:23:46 -0800 Message-Id: <200112142023.fBEKNkA12732@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Fri, 14 Dec 2001 12:23:45 -0800 (PST) Subject: [iwar] [fc:CodeRed-like.FTP.worm?] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit CodeRed-like FTP worm? Hello, I keep seeing attempted connections to ftp by various boxes in the same subnets. Could this be some sort of scan for vulnerable ftp servers? Something like a CodeRed ftp worm? Thanks for any info in advance, Rich Tue Dec 11 11:08:04 FTP connection from 80.11.101.8 Tue Dec 11 12:38:26 FTP connection from 210.65.171.32 Tue Dec 11 14:06:27 FTP connection from 193.253.37.13 Tue Dec 11 15:04:45 FTP connection from 193.253.37.13 Tue Dec 11 18:16:47 FTP connection from 217.136.112.196 Wed Dec 12 04:14:53 FTP connection from 202.224.159.46 Wed Dec 12 11:41:52 FTP connection from 141.24.92.89 Wed Dec 12 12:15:11 FTP connection from 80.11.85.121 Wed Dec 12 13:38:03 FTP connection from 213.191.132.98 Wed Dec 12 14:08:30 FTP connection from 210.58.12.142 Wed Dec 12 14:41:33 FTP connection from 217.129.33.236 I'm seeing some addresses in common with one of the FTP servers here, too: 193.251.4.218, 193.252.178.248, 80.11.87.134, 217.128.164.17 which are under the same domain as the 193. and 80. addresses you listed (wanadoo.fr). We've been seeing attempted FTP connections from this domain for months. I've also seen attempted connects from aol.com (no surprise) and dip.t-dialin.net (eg. 217.1.98.129 and 217.228.230.250). Those three are the most frequent with several attempts every week. The one thing they all have in common is that it's consistently dialup connections knocking at the door. I wouldn't call that a worm. More like idle curiosity. Still, this server isn't broadly advertised or anything, so I'm thinking it must have come up in a scan at some point (but there's no IDS here and I don't have access to the firewall so who can say). The FTP process wasn't always TCP wrapped either. -- ------------------------ Yahoo! Groups Sponsor ---------------------~--> Call any Phone in the World from your PC with CrystalVoice -LOW rates world-wide - $0.039/min in U.S. FREE trial. Click here. http://us.click.yahoo.com/Ib1xVB/IxbDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 21:00:00 PST