Apologies, After some trial and error, the current syntax being used to collect traffic is tcpdump -nvvX -s 1500 -w /var/log/ftpdump 'port 20 or 21' & I'll supply the results after the next attack of substantial event. For everyone who's interested please provide me with a valid e-mail and I'll communicate directly as I do not wish to post explicit data to the list. -----Original Message----- From: Aaron Lewis [mailto:jimat_private] Sent: Tuesday, November 26, 2002 9:19 AM To: 'OTERO Hernan Gustavo EDS'; fygraveat_private Cc: incidentsat_private; daat_private Subject: RE: wu-ftpd attack ??? Ok. In efforts to find out what went on here, I have taken down some of the security features recently implemented and restarted tcpdump with tcpdump -nvv -s 1500 -w 'port 20 or 21' > /var/log/ftpdump & I have copied this to the people who have asked for more information. I'd rather deal with a few individuals directly than splatter this all over the list. As soon as I have another incident I will post the dump results Thanks -----Original Message----- From: OTERO Hernan Gustavo EDS [mailto:bazhgoat_private] Sent: Tuesday, November 26, 2002 7:04 AM To: 'aaronat_private' Subject: wu-ftpd attack ??? Could you sendme the tcpdump ( and the command that you run to make the dump ie, tcpdump -nvv -s 1500 -w blablabla or any other )? Thanks, Hernán Otero Information Security Analyst >I'm experiencing a situation where wu-ftpd wu-ftpd-2.6.1-20 on Red Hat 7.2 2.4.18-18.7.x >is >getting broken by some specific type of scan (I think). When this happens, wu-ftpd just stops >responding to connection requests but port 21 is still listening according to netstat >-anl. I restart xinetd and all is well. >Now, what I have managed to catch in the logs, just before the server stops, are several >connections >(or a scan) from a specific IP address to multiple virt hosts on my server. There >is NO annon ftp and there are NO shell accounts. If someone is interested in the tcp dump >for the FTP traffic during this, let me know. Other than that there is nothing suspicious >in the logs. >Can someone tell me what might be going on please... >Aaron Lewis >JSW4.NET >aaronat_private >--------------------------------------------------------------------------- - >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Nov 30 2002 - 12:42:33 PST