RE: wu-ftpd attack ???

From: Aaron Lewis (jimat_private)
Date: Tue Nov 26 2002 - 06:18:40 PST

Next message: Rodrigo Barbosa: "Re: wu-ftpd attack ???"

Previous message: jrlpopat_private: "Re: SMTP harrasment by nie2.infomail.es?"
Next in thread: Aaron Lewis: "RE: wu-ftpd attack ???"
Next in thread: Rodrigo Barbosa: "Re: wu-ftpd attack ???"
Reply: Aaron Lewis: "RE: wu-ftpd attack ???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ok. In efforts to find out what went on here, I have taken down some of the
security features recently implemented and restarted tcpdump with
tcpdump -nvv -s 1500 -w 'port 20 or 21' > /var/log/ftpdump &


I have copied this to the people who have asked for more information. I'd
rather deal with a few individuals directly than splatter this all over the
list. As soon as I have another incident I will post the dump results

Thanks



-----Original Message-----
From: OTERO Hernan Gustavo EDS [mailto:bazhgoat_private]
Sent: Tuesday, November 26, 2002 7:04 AM
To: 'aaronat_private'
Subject: wu-ftpd attack ???


Could you sendme the tcpdump ( and the command that you run to make the dump
ie, tcpdump -nvv -s 1500 -w blablabla or any other )?



Thanks,
	Hernán Otero
Information Security Analyst


>I'm experiencing a situation where wu-ftpd wu-ftpd-2.6.1-20 on Red Hat 7.2
2.4.18-18.7.x >is
>getting broken by some specific type of scan (I think). When this happens,
wu-ftpd just stops
>responding to connection requests but port 21 is still listening according
to netstat






>-anl. I restart xinetd and all is well.

>Now, what I have managed to catch in the logs, just before the server
stops, are several >connections
>(or a scan) from a specific IP address to multiple virt hosts on my server.
There
>is NO annon ftp and there are NO shell accounts. If someone is interested
in the tcp dump
>for the FTP traffic during this, let me know. Other than that there is
nothing suspicious
>in the logs.

>Can someone tell me what might be going on please...

>Aaron Lewis
>JSW4.NET
>aaronat_private

>---------------------------------------------------------------------------
-
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Rodrigo Barbosa: "Re: wu-ftpd attack ???"
Previous message: jrlpopat_private: "Re: SMTP harrasment by nie2.infomail.es?"
Next in thread: Aaron Lewis: "RE: wu-ftpd attack ???"
Next in thread: Rodrigo Barbosa: "Re: wu-ftpd attack ???"
Reply: Aaron Lewis: "RE: wu-ftpd attack ???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Nov 26 2002 - 11:48:45 PST