Locate the host, inspect FTP configuration, verify legitimate need for plaintext FTP, and consider migrating to SFTP/FTPS. Appendix: ASCII conversion of 1oo – 1 (0x31), o (0x6F), o (0x6F). Could be shell output misinterpreted as string.
| Observation | Implication | |-------------|--------------| | Log contains 10.16 (internal IP) | Likely from internal IDS/IPS, host firewall, or compromised machine beaconing. | | 1oo instead of 100 | Possible shell output where ASCII 0 replaced by letter o (binary-to-text artifact). | | ftp server explicitly stated | Unusual – typically only 220 banner or PORT command. Could be from service line in /etc/services or a honeypot label. |
"timestamp": "2024-10-16T??:??:??Z", "src_ip": "10.16.??.??", "dest_port": 244, "protocol": "TCP", "app_proto": "ftp", "banner": "1oo 244 ftp server"
ftp 10.16.x.x 244 If 244 is a – there is no standard FTP reply 244. FTP reply codes are 3-digit (x,y,z groups). 244 is invalid. So it’s likely a port or IP octet. 4. Security Implications Running FTP (plaintext protocol) on a non-standard port is a common obscurity tactic , not security. Attackers scan all 65535 ports.
