| Paul Lynch 2004-03-15, 5:35 am |
| On Mon, 15 Mar 2004 09:14:48 -0000, "scott" <scottscotland@yahoo.com>
wrote:
>Hi,
>
>My IIS FTP logs report a single anonymous connections from the following:
>
>62.0.99.157 anonymous 192.168.1.50 21 [155]USER anonymous 331 0
>62.0.99.157 - 192.168.1.50 21 [155]PASS Ggpuser@home.com 530 0
>
>82.49.56.58 anonymous 192.168.1.50 21 [31]USER anonymous 331 0
>82.49.56.58 - 192.168.1.50 21 [31]PASS Rgpuser@home.com 530 0
>
>The ftp service is locked down to stop anonymous connections.
>
>Is the above anything to worry about or is it just users finding the host
>accidentally ?
>
>Thanks for any information.
>Scott.
>
Scott,
Its a randomly targeted scripted attack. I've seen those same user
accounts being used as part of a scripted attack reported elsewhere
before (those script kiddies really have no imagination whatsoever)
However, your server is not letting them in, the 530 you see
immediately after the 'e-mail address' in your logs indicates a reply
of "not logged in".
You're not being singled out, some poor sod's trojaned machine is
scanning IP ranges out there tying to find a vulnerable FTP server to
use as a pR0n or wAr4Z stash for their fellow d00dz to hAx0r - or
something like that ;-)
Just make sure your machine remains up to date with all the latest
security patches from MS by going here and signing up for the security
bulletins :
http://www.microsoft.com/technet/se...tin/notify.mspx
This site is also worth checking out as it has tons of useful
information related to security issues, etc :
http://securityadmin.info
Regards,
Paul Lynch
MCSE
|