I got a response from the wu-ftpd development teem. It seems that it was a false alarm, so I have attached an ascii log of the attack. A little history of the compromised system: - At the beginning it was a default installation of R7.2 running wu-ftpd 2.6.1 - 15 days ago it was hacked through wu-ftpd 2.6.1 and the attacker patched the system to wu-ftpd 2.6.2 (he had transferred his binary files for wu-ftpd 2.6.2, so I can not be definitely sure that this is the original version) - After that, several autorooters visited the system, checked the version and left except this last attack which was quite persistent. In addition the attacker kept using his exploiting tool to enter the system, besides the use of his backdoors, Which gives an impression of testing the exploiting script Wondering if this is an attack to previously rooted systems .. Thanks, Costas ---------------------------- Costas Karafasoulis Internet Systematics Lab, Honeynet Project NCSR Demokritos http://www.honeynet.gr
This archive was generated by hypermail 2b30 : Fri Apr 19 2002 - 09:07:07 PDT