[lug] Tracking Connections

George Sexton gsexton at mhsoftware.com
Fri Aug 17 10:48:00 MDT 2001


I don't understand. If it's an IP external from your network then they are
coming through your router and firewall.

It's probably routine scanning from Warez uploaders. My little 16 node
network has had 244 scans this week by machines looking for FTP servers.

Once they find your FTP server, they will try to find an upload directory.
Once they do, they will start uploading Warez or MP3s, etc onto your server.
They will usually create funky directory names that make it very difficult
to remove the directory.

If you allow anonymous upload, you should have a cron job that moves files
to an inaccessible dir until verified by an administrator.

Also, don't depend on hidden virtual directories. They will find them and
use them.

-----Original Message-----
From: lug-admin at lug.boulder.co.us [mailto:lug-admin at lug.boulder.co.us]On
Behalf Of Kyle Moore
Sent: 17 August, 2001 8:32 AM
To: lug at lug.boulder.co.us
Subject: [lug] Tracking Connections


I have someone who keeps trying anonymous ftp on a couple of our
servers. Syslog gives me the IP they are coming from but what I want to
find out is how they come through our network. I don't have access to
any of the routers' logs. My main concern here is someone is getting
into our network that shouldn't...so I want to verify.

NOTE: I know how horrible ftp is so I don't need any sermons on the
wonders of ssh/scp.

--
Kyle

_______________________________________________
Web Page:  http://lug.boulder.co.us
Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug




More information about the LUG mailing list