you could be a bit creative in analysis of the captured traffic...
what pattern do certain addy exhibit (i.e.) do the french ip's
seem to be active @ certain timez of day.
are the activities consistant in what they are attempting or is
there a discernible pattern at all.
while sniffing do you see any conversations between any of detected
addy's passing info..
what type of packets are they passing if any...
meanwhile, do talk with those admins....
piranha....
>From: Truman Boyes <[EMAIL PROTECTED]>
>To: John Steniger <[EMAIL PROTECTED]>
>CC: [EMAIL PROTECTED]
>Subject: Re: ftp port scans
>Date: Tue, 17 Oct 2000 11:54:10 -0400 (EDT)
>
>On Tue, 17 Oct 2000, John Steniger wrote:
>
> > Within the last week, we've noticed a large number of attempted connects
>to
> > port 21 on the external interface of our firewall. There are usually
>20-40
> > different IP's, attempting to connect 3-8 times (usually 4 times a
>piece,
> > with some 3 and some 8 or 9). They make attempts within minutes of one
> > another, as if they are attempting to flood the port. We block that
>port by
> > default, so nothing is getting in, but I'm leary of the intent. The IPS
> > come from all over the place....mostly the US (lots of colleges and
>ISP's),
> > but some from France, Canada, and Panama. It seems to me he's either
> > cracked into these accounts or is more likely spoofing addresses.
>
>That is always a possibility. What if someone put a link to the wrong
>address on a webpage ? Or a wrong ip address in an A record ? I doubt the
>addresses are spoofed. They may be scripts looking for vulnerable ftp
>daemons.
>
> > Is there a generally accepted way to deal with this? I've thought of
>mailing
> > the admins of at least the colleges to inform them they may have been
> > hacked. I'm also going to set up a packet sniffer to see what these
>packets
> > look like. Other than that, would anyone have any suggestions?
> >
> > Thanks,
> > John
> > -
>
>You should mail the admins and discuss this with them. I would imagine the
>packets would look nothing stranger than normal ftp traffic.
>
>.truman.
>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at
http://profiles.msn.com.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
