RE: wu-ftpd attack???

From: Bojan Zdrnja (Bojan.Zdrnjaat_private)
Date: Wed Nov 27 2002 - 02:42:17 PST

Next message: Aaron Lewis: "RE: wu-ftpd attack ???"

Previous message: Toby Felgenner: "Re: Proxy server hit... Any ideas?"
In reply to: M. den Braber: "RE: wu-ftpd attack???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I get loads of similar connections every day. I suppose it's some (very
simple) automated tool to check various servers if they accept anonymous
connections (probably used by warez kids who then upload their warez into
server and use it as distribution site).

In your case, connections from remote client are too excessive - maybe
automated tool isn't properly configured.

Default setting in tcp wrappers (which you obviously use to start proftpd)
allows maximum of 40 spawned sessions of one service in 60 seconds. In your
case, it goes over this maximum number, so inetd terminates proftpd service.

If you don't use anonymous ftp (and you said you don't), you can put some
restrictions on allowed IPs which connect to your ftp server (of course, if
that's possible).

In other case, you can put higher value on allowed maximum number of spawned
connections in /etc/inetd.conf file.

Just find line with proftpd, it should look like:

ftp	stream	tcp	nowait	root	/usr/sbin/tcpd	/usr/sbin/proftpd

and change nowait parameter to something like nowait.400
This will allow 400 spawned connections in 60 seconds.

Best regards,

Bojan Zdrnja

> -----Original Message-----
> From: M. den Braber [mailto:mauriceat_private]
> Sent: 26. studeni 2002 10:05
> To: incidentsat_private
> Subject: RE: wu-ftpd attack???
>
>
> I just posted this in focus-linux a minute ago, looks the same:
>
> >Hi guys,
> >
> >I'm fairly new to the lists so i hope i'm dropping it
> >in the right one. ;-)
> >
> >Anyway,
> >
> >In my network there is a cobalt raq4 that is hosting several
> >sites and today i noticed that in the last couple of days the
> >number of connections shot through the roof. (Compared to usual ;) )
> >
> >When i take a look at the logs i noticed that someone
> >is trying to login using an anonymous ftp account, which is,
> >off course disabled.
> >
> >[log]
> >Nov 25 10:37:53 koushaven proftpd[8479]: - FTP session opened.
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Aaron Lewis: "RE: wu-ftpd attack ???"
Previous message: Toby Felgenner: "Re: Proxy server hit... Any ideas?"
In reply to: M. den Braber: "RE: wu-ftpd attack???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Nov 30 2002 - 12:33:11 PST