OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [suse-security] strange ftp-scan
From: Peter Münster (peteruniv-rennes1.fr)
Date: Sat Oct 07 2000 - 08:06:25 CDT

On Sat, 7 Oct 2000, Stefan Suurmeijer wrote:

> 9 straight years of continual holes is probably suicidal (that brings to
> mind, is it still DeadRat's default ftp package? You do the math ;-))

No, of course it's the latest version from suse-update...

However, thank you all, for the hints to better ftp-daemons!

But there is still the same question: what could be the sense in doing a
ftp-connection very 5 minutes and also ICMP echo requests (pings).
There is no more process listening on port 21 (no more ftp in inetd.conf)
but there are still the same attempts:

from 211.56.234.227 to 129.20.79.55
IP Packet precedence: Routine (---)
ID: 0x3F8E FLAGS: DF -- Time to live (secs): 106
Protocol (6): TCP

Packet ID (from_IP.port-to_IP.port): 211.56.234.227.4283-129.20.79.55.21
E..,?..j.B..8....O7....J.5.....`. .XU......

from 129.20.79.55 to 211.56.234.227
IP Packet precedence: Routine (---)
ID: 0xC53A FLAGS: -- -- Time to live (secs): 255
Protocol (6): TCP

Packet ID (from_IP.port-to_IP.port): 129.20.79.55.21-211.56.234.227.4283
E..(.:....h-..O7.8..........J.5.P.......

[...]

ICMP message id: 211.56.234.227 > 129.20.79.55
  ICMP type: Echo

ICMP message id: 129.20.79.55 > 211.56.234.227
  ICMP type: Echo reply

(the output comes from
sniffit -a -l 0 -b -t "" -P IP,TCP,ICMP,UDP||grep -C 211.56.234.227)

But perhaps there is just _no_ sense, only a mistake by the user of
211.56.234.227 ...
Peter 

-- 
     Peter Münster
     http://w3pm.stormloader.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com