Security Incidents mailing list archives
Re: CodeRed-like FTP worm?
From: H C <keydet89 () yahoo com>
Date: Thu, 13 Dec 2001 12:42:37 -0800 (PST)
Rich, What about the connections led you to think that this was some kind of worm? W/o a more detailed explanation, it would seem that the logs show nothing more than SYN packets...which doesn't really tell you much. To be honest, there's nothing in the logs you've included to indicate any kind of worm activity, let alone Code Red-like activity. Can you elaborate on what it was that led you to this conclusion? Thanks. --- "Ascent - Compton, Richard" <RCompton () ascent-corp com> wrote:
Hello, I keep seeing attempted connections to ftp by various boxes in the same subnets. Could this be some sort of scan for vulnerable ftp servers? Something like a CodeRed ftp worm? Thanks for any info in advance, Rich Tue Dec 11 11:08:04 FTP connection from 80.11.101.8 Tue Dec 11 12:38:26 FTP connection from 210.65.171.32 Tue Dec 11 14:06:27 FTP connection from 193.253.37.13 Tue Dec 11 15:04:45 FTP connection from 193.253.37.13 Tue Dec 11 18:16:47 FTP connection from 217.136.112.196 Wed Dec 12 04:14:53 FTP connection from 202.224.159.46 Wed Dec 12 11:41:52 FTP connection from 141.24.92.89 Wed Dec 12 12:15:11 FTP connection from 80.11.85.121 Wed Dec 12 13:38:03 FTP connection from 213.191.132.98 Wed Dec 12 14:08:30 FTP connection from 210.58.12.142 Wed Dec 12 14:41:33 FTP connection from 217.129.33.236
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
__________________________________________________ Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctions for all of your unique holiday gifts! Buy at http://shopping.yahoo.com or bid at http://auctions.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- CodeRed-like FTP worm? Ascent - Compton, Richard (Dec 13)
- Re: CodeRed-like FTP worm? hvdkooij (Dec 13)
- Re: CodeRed-like FTP worm? Neil McKellar (Dec 13)
- Re: CodeRed-like FTP worm? H C (Dec 13)