[TriLUG] vsftpd and port scanning (or multiple failed logins)

Ian Kilgore ian at trilug.org
Thu Mar 2 12:50:19 EST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Owen Berry wrote:
| Can anyone confirm my suspicions of anonymous login? Or is this more of
| an indication of a port scan? Why 1 host would try 696 times in a day is
| beyond me, unless they are scanning.

Why one host would try an anonymous login 696 times against your one
host, even /if/ it's zombied, is beyond me, too.  You would think, that
after one (maybe even two) tries, this script would give up, or try a
different username -_-

Anyway, a port scan would (should) just be an opened and then dropped
connection - a connect scan, anyway.  I doubt a syn scan, or any others,
would show up in your ftpd logs as a failed login (although they
certainly are detectable..)

Either way, 696 times from one host to one host seems.. odd.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEBzBawsRpgTiXSOERAosVAKCDeYVldWl+JGwBdQo6d0lndvRo9QCfXagd
OAn0y7g5Q/fDgnC4m2QpnoI=
=OHzE
-----END PGP SIGNATURE-----



More information about the TriLUG mailing list