On Tue, 17 Oct 2000, John Steniger wrote:
> Within the last week, we've noticed a large number of attempted connects to
> port 21 on the external interface of our firewall. There are usually 20-40
> different IP's, attempting to connect 3-8 times (usually 4 times a piece,
> with some 3 and some 8 or 9). They make attempts within minutes of one
> another, as if they are attempting to flood the port. We block that port by
> default, so nothing is getting in, but I'm leary of the intent. The IPS
> come from all over the place....mostly the US (lots of colleges and ISP's),
> but some from France, Canada, and Panama. It seems to me he's either
> cracked into these accounts or is more likely spoofing addresses.
That is always a possibility. What if someone put a link to the wrong
address on a webpage ? Or a wrong ip address in an A record ? I doubt the
addresses are spoofed. They may be scripts looking for vulnerable ftp
daemons.
> Is there a generally accepted way to deal with this? I've thought of mailing
> the admins of at least the colleges to inform them they may have been
> hacked. I'm also going to set up a packet sniffer to see what these packets
> look like. Other than that, would anyone have any suggestions?
>
> Thanks,
> John
> -
You should mail the admins and discuss this with them. I would imagine the
packets would look nothing stranger than normal ftp traffic.
.truman.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
