This morning I connected to the main FTP Server and I noticed something strange in server's log files. From the first view it was looked like an attack. Of course it’s not the first time I see scanners hitting IPs and servers. I see it every day. But this was different!
Let's see what I saw in the logs of the FTP Server. Below you can see a screenshot from the server. The rest information are misquoted for obvious reasons.
There were several parts on these seven lines of logs that attracted my attention. The most important was the hostname (referred as IP-Name in the logs). That is the IP, resolved by the DNS. Usually when you see hits from robots or scanners in your logs, you don't get a hostname, because they are trying to hack you server. You see just IPs. But it's not only that there was a hostname, which means that the hitter didn't try to cover himself. The hostname "researchscan321.eecs.umich.edu" seemed to be a server from an educational organization. Most probably from the University of Michigan. Isn't that what you understand, too?
So I typed this hostname on my web browser (http://researchscan321.eecs.umich.edu) and I saw the below web page.
As you see, this page explains everything! They are scanning the Internet for research! Did you know that? I didn't, until today...