Microsoft NT/2K servers are FTP port scanning?

Michael Janke Thu, 11 Oct 2001 20:22:09 -0700

We normally get FTP port scanned by a 2-5 computers per day. Each FTP
scan typically is a single source scanning hundreds of targets. Most of
the scans are sourced from hacked Linux/Unix boxes.


The last week or so we've been seeing the number of FTP scans increasing
rapidly to between 25 and 65 source IP's per day. The 'new' scans
typically are only a few packets at a few targets.  They also seem to be
sourced primarily from public NT/2K FTP & Web servers. I've done a
banner check on all the IP's that FTP scanned us since 6am today. The
results are below.

Many of the servers had the root.exe backdoor. A some were 'hacked by
PoizonBox'.

I'd like to know if anyone else has seen an increse in port 21/FTP scans.

Stats:
68 Total source IP's
44 MS NT/2K
14 Down or blocked
   7 No banner
   3 Other OS

#Targets
Source IP       FTP banner
     4  12.1.170.220    down
     6  12.23.52.18     down
     2  192.101.80.14   down
    16  193.199.48.20   220 kimo_2 Microsoft FTP Service (Version 4.0).
     4  193.252.254.26  220 efusionbe Microsoft FTP Service (Version 4.0).
     4  193.253.238.5   220 extra1 Microsoft FTP Service (Version 5.0).
    10  193.61.122.203  220 TRENT203 Microsoft FTP Service (Version 5.0).
     2  193.72.145.120  down
     4  195.13.94.130   220 mail Microsoft FTP Service (Version 5.0).
     4  195.139.26.195  220 kvitfjell Microsoft FTP Service (Version 4.0).
    10  195.141.175.2   no banner
    28  195.161.50.197  220 TVT_SERVER Microsoft FTP Service (Version 5.0).
    26  195.170.25.4    220 poseidon Microsoft FTP Service (Version 4.0).
     6  195.198.110.2   220 Secure Gateway FTP server ready.
    10  195.199.83.253  220 tkszksrv01 Microsoft FTP Service (Version 4.0).
     4  195.199.97.141  220 tgygsrv01 Microsoft FTP Service (Version 4.0).
    10  195.223.61.3    220 polar Microsoft FTP Service (Version 4.0).
    20  195.243.114.250 220 buysite2 Microsoft FTP Service (Version 4.0).
    10  195.49.11.82    220 server Microsoft FTP Service (Version 5.0).
    96  195.65.149.116  220 OCMAIL01 Microsoft FTP Service (Version 5.0).
     6  198.140.4.205   down
    26  199.190.129.3   220 able2 Microsoft FTP Service (Version 4.0).
     4  199.203.120.75  220 backup Microsoft FTP Service (Version 4.0).
     2  200.10.106.15   220 srv4 Microsoft FTP Service (Version 4.0).
     4  200.10.69.11    220 server_a08 Microsoft FTP Service (Version 4.0).
     2  200.162.194.43  220 db-progress Microsoft FTP Service (Version 4.0).
     2  200.163.49.194  220 uisa-nomt01 Microsoft FTP Service (Version 4.0).
     2  200.177.111.5   220 wisecode1 Microsoft FTP Service (Version 5.0).
    22  200.177.124.18  220 www Microsoft FTP Service (Version 5.0).
    40  200.181.30.138  down
    46  200.185.37.76   220 apolo Microsoft FTP Service (Version 5.0).
    44  200.195.196.98  down
    44  200.196.78.98   220 serv_acert Microsoft FTP Service (Version 4.0).
     2  200.225.172.250 220 webserver2 Microsoft FTP Service (Version 4.0).
     4  200.28.31.248   no banner
     4  200.39.107.145  220 server Microsoft FTP Service (Version 5.0).
    10  200.53.89.122   downn
   116  200.60.123.163  no banner
     2  207.71.92.221   no banner
     2  209.184.108.2   down
   486  211.185.195.1   220 proxy.youngsanpo-m.ed.chonnam.kr FTP server (Version 
wu-2.6.0(1)
Fri Jun 23 09:17:44 EDT 2000) ready.
    46  212.161.5.10    no banner
    10  213.132.154.125 down
   262  213.253.39.39   220 Serv-U FTP Server v3.0 for WinSock ready...
    14  213.255.47.82   no banner
     4  213.255.58.240  220 proxy-aula Microsoft FTP Service (Version 4.0).
1902    213.56.63.7     down
     4  217.224.236.143 down
   136  63.122.183.3    220 epdns Microsoft FTP Service (Version 4.0).
     8  63.127.40.76    220 eckpost Microsoft FTP Service (Version 4.0).
     6  63.162.34.112   220 paige Microsoft FTP Service (Version 4.0).
     6  63.169.104.206  no banner
    14  63.200.73.60    220 search2 Microsoft FTP Service (Version 4.0).
    24  63.203.152.242  220 HPSERVER Microsoft FTP Service (Version 5.0).
    12  63.231.34.210   220 web9 Microsoft FTP Service (Version 5.0).
     2  63.237.140.215  220 dvsnttemp Microsoft FTP Service (Version 4.0).
    10  63.250.46.253   220 win2000server Microsoft FTP Service (Version 5.0).
     4  63.90.40.11     220 mail1 Microsoft FTP Service (Version 4.0).
     2  63.92.153.98    down
     4  64.128.145.213  220 gildant Microsoft FTP Service (Version 4.0).
     2  64.145.249.3    220 dallas01 Microsoft FTP Service (Version 4.0).
     2  64.162.108.11   down
    32  64.212.166.78   220 ts Microsoft FTP Service (Version 5.0).
    24  64.66.223.131   220 server1 Microsoft FTP Service (Version 4.0).
     8  64.7.209.148    220 VAIO Microsoft FTP Service (Version 5.0).
     2  64.80.64.61     220 ic-citrixsrv Microsoft FTP Service (Version 5.0).
    14  64.81.64.154    220 web-server Microsoft FTP Service (Version 5.0).
    52  64.92.132.10    220 director Microsoft FTP Service (Version 4.0).
     2  65.115.141.2    220 (none) FTP server (Version wu-2.5.0(1) Tue Sep 21 16:48:12 
EDT

-- 
-----------------------------------------
Michael Janke
Director, Network Services
Minnesota State Colleges and Universities
-----------------------------------------

_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Microsoft NT/2K servers are FTP port scanning?

Reply via email to