RE: wu-ftpd attack ???

From: Aaron Lewis (jimat_private)
Date: Tue Nov 26 2002 - 06:18:40 PST

  • Next message: Rodrigo Barbosa: "Re: wu-ftpd attack ???"

    Ok. In efforts to find out what went on here, I have taken down some of the
    security features recently implemented and restarted tcpdump with
    tcpdump -nvv -s 1500 -w 'port 20 or 21' > /var/log/ftpdump &
    
    
    I have copied this to the people who have asked for more information. I'd
    rather deal with a few individuals directly than splatter this all over the
    list. As soon as I have another incident I will post the dump results
    
    Thanks
    
    
    
    -----Original Message-----
    From: OTERO Hernan Gustavo EDS [mailto:bazhgoat_private]
    Sent: Tuesday, November 26, 2002 7:04 AM
    To: 'aaronat_private'
    Subject: wu-ftpd attack ???
    
    
    Could you sendme the tcpdump ( and the command that you run to make the dump
    ie, tcpdump -nvv -s 1500 -w blablabla or any other )?
    
    
    
    Thanks,
    	Hernán Otero
    Information Security Analyst
    
    
    >I'm experiencing a situation where wu-ftpd wu-ftpd-2.6.1-20 on Red Hat 7.2
    2.4.18-18.7.x >is
    >getting broken by some specific type of scan (I think). When this happens,
    wu-ftpd just stops
    >responding to connection requests but port 21 is still listening according
    to netstat
    
    
    
    
    
    
    >-anl. I restart xinetd and all is well.
    
    >Now, what I have managed to catch in the logs, just before the server
    stops, are several >connections
    >(or a scan) from a specific IP address to multiple virt hosts on my server.
    There
    >is NO annon ftp and there are NO shell accounts. If someone is interested
    in the tcp dump
    >for the FTP traffic during this, let me know. Other than that there is
    nothing suspicious
    >in the logs.
    
    >Can someone tell me what might be going on please...
    
    >Aaron Lewis
    >JSW4.NET
    >aaronat_private
    
    >---------------------------------------------------------------------------
    -
    >This list is provided by the SecurityFocus ARIS analyzer service.
    >For more information on this free incident handling, management
    >and tracking system please see: http://aris.securityfocus.com
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Nov 26 2002 - 11:48:45 PST