Re: Does anyone recognize this?

From: Bill Borton (bbortonat_private)
Date: Wed Apr 18 2001 - 07:28:08 PDT

  • Next message: Daniel Martin: "Re: Madereet exploit"

    At 07:27 PM 4/17/01 -0600, you wrote:
    >On Tue, 17 Apr 2001, Crist Clark wrote:
    >
    > > > Why the strange port numbers if it was FTP?
    > >
    > > Uh... 'cause FTP is a fscked up protocol? I guess you are expecting to
    > > see port 20? Not if you're doing PASV.
    >
    >Port 20 and/or not port 60151.  The only client I'm used to on the Linux
    >side that does PASV by default is ncftp, and I'm not used to seeing 60151
    >being allocated by most OSes, unless there is a NAT device in-between,
    >which shouldn't be the case if the machine using 60151 is the FTP server.
    >
    >                                         Ryan
    
    Hi all,
    
    It looks like Daniel Martin (and Devdas Bhagat, who didn't send to the list)
    got it pretty much figured out... There is a squid installation on this machine
    and when these packets were first captured I greped through the logs for
    the IP address and host name but found nothing.  After the talk of .iso
    images I went back and greped for "\.iso" and sure enough one of the users
    was FTPing a RedHat 7.0 iso at that time using Netscape.  A quick nslookup
    of the download host showed it was an alias for the machine in question. (doh!)
    
    So, I think that is the answer.
    
    *Many* thanks, I slept much better last night.
    
    -Bill
    



    This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 08:20:50 PDT