RE: Quick question re FTP activity

From: darroch royden (darroch.roydenat_private)
Date: Mon Nov 11 2002 - 14:17:43 PST

Next message: Waitman C. Gobble: "030 ignkeywords igetnet follow up"

Previous message: Waitman C. Gobble: "Re: 030 igetnet ignkeywords"
In reply to: Timothy M. Lyons: "Quick question re FTP activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Looks like you have been marked as a mirror for chkrootkit and the user
was trying to obtain a copy of:
www.chkrootkit.org/chkrootkit-poster-a1.pdf 

I wouldn't worry, but I would disable anon ftp access :)

-----Original Message-----
From: Timothy M. Lyons [mailto:lyonsat_private] 
Sent: 10 November 2002 10:21 AM
To: incidentsat_private
Subject: Quick question re FTP activity


I just brought this server online to lessen the stress on my web server,
so I have to admit it's been a _long_ time since I ran FTP on anything.
Can someone tell me what the user is trying to accomplish from the log
excerpt below?

--Tim

---
"Leave the beaten path and dive into the woods.   
You are certain to find something interesting."
	-- Alexander Graham Bell (1847 - 1922)

---begin ftp log---
Nov  9 08:53:15 envoy ftpd[2801]: USER anonymous
Nov  9 08:53:16 envoy ftpd[2801]: PASS mat_private
Nov  9 08:53:16 envoy ftpd[2801]: ANONYMOUS FTP LOGIN FROM p9.pub.ro
[192.129.3.252], mat_private Nov  9 08:53:16 envoy ftpd[2801]: TYPE Image
Nov  9 08:53:16 envoy ftpd[2801]: PORT Nov  9 08:53:16 envoy ftpd[2801]:
refused PORT 10.0.0.248,1362 from p9.pub.ro [192.129.3.252] Nov  9
08:53:17 envoy ftpd[2801]: PASV Nov  9 08:53:17 envoy ftpd[2801]: SIZE
/pub/mirrors/chkrootkit/chkrootkit-poster-a1.pdf
Nov  9 08:53:17 envoy ftpd[2801]: REST 0
Nov  9 08:53:17 envoy ftpd[2801]: REST 100
Nov  9 08:53:17 envoy ftpd[2801]: RETR
/pub/mirrors/chkrootkit/chkrootkit-poster-a1.pdf
Nov  9 08:53:21 envoy ftpd[2801]: ABOR
Nov  9 08:53:21 envoy ftpd[2801]: FTP session closed
---end log ---





------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Waitman C. Gobble: "030 ignkeywords igetnet follow up"
Previous message: Waitman C. Gobble: "Re: 030 igetnet ignkeywords"
In reply to: Timothy M. Lyons: "Quick question re FTP activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Nov 12 2002 - 13:00:21 PST