Hi Hoof and all on the list, >(192,168,1,9,4,14) 4*256+14= 1038 nothing curious in this "probe" just a passive mode connection from the client to your server _after_ he requested the server to go to passive mode with this command >[2] Tue 04Feb03 10:21:25 - (000001) PASV and your server responded that the client should the data connection connect to him on port 1038. >[6] Tue 04Feb03 10:21:25 - (000001) 227 Entering Passive Mode >(192,168,1,9,4,14) Your NAT should provide fixup for the address 192.168.1.9 and port 1038 and a permit and translation for the later incomming connection. If it doesn't it's plain broken NAT. Best regards, Boyan Krosnov http://boyan.ludost.net/ just another techie speaking for himself -----Original Message----- From: Hoof Hearted [mailto:capbligh2001at_private] Sent: Tuesday, February 04, 2003 8:50 PM To: incidentsat_private Subject: FTP/Port 1038 Hi All At 10:21 GMT today we had an incidence of an ftp user accessing a ServU (Version 2.5f) server through a NAT. A few seconds later the firewall noted an inbound 'probe' on port 1038 (to the w/s - this port is not in the NAT) The workstation firewall picked up as follows: >2003/02/04 10:21:26 203.198.145.93:6718 (mail.hyprint.com) >192.168.1.9:1038 >Port 1038 (TCP) The ftp logs show: >[5] Tue 04Feb03 06:20:20 - (000007) Connected to 199.18.36.14 (Local >address 192.168.1.9) >[6] Tue 04Feb03 06:20:20 - (000007) 220 Serv-U FTP-Server v2.5f for WinSock >ready... >[2] Tue 04Feb03 06:20:20 - (000007) USER anonymous >[6] Tue 04Feb03 06:20:20 - (000007) 331 User name okay, please send >complete E-mail address as password. >[2] Tue 04Feb03 06:20:21 - (000007) PASS Ngpuserat_private >[5] Tue 04Feb03 06:20:21 - (000007) ANONYMOUS logged in, password: >NGPUSERat_private >[6] Tue 04Feb03 06:20:21 - (000007) 230 User logged in, proceed. >[2] Tue 04Feb03 06:20:21 - (000007) CWD /pub/ >[6] Tue 04Feb03 06:20:21 - (000007) 550 /pub: No such file or directory. >[2] Tue 04Feb03 06:20:21 - (000007) CWD /public/ >[6] Tue 04Feb03 06:20:21 - (000007) 550 /public: No such file or directory. >[2] Tue 04Feb03 06:20:21 - (000007) CWD /pub/incoming/ >[6] Tue 04Feb03 06:20:21 - (000007) 550 /pub/incoming: No such file or >directory. >[2] Tue 04Feb03 06:20:21 - (000007) CWD /incoming/ >[6] Tue 04Feb03 06:20:21 - (000007) 550 /incoming: No such file or >directory. >[2] Tue 04Feb03 06:20:22 - (000007) CWD /_vti_pvt/ >[6] Tue 04Feb03 06:20:22 - (000007) 550 /_vti_pvt: No such file or >directory. >[2] Tue 04Feb03 06:20:22 - (000007) CWD / >[6] Tue 04Feb03 06:20:22 - (000007) 250 Directory changed to / >[2] Tue 04Feb03 06:20:22 - (000007) MKD 030204011853p >[6] Tue 04Feb03 06:20:22 - (000007) 550 /030204011853p: Permission denied. >[2] Tue 04Feb03 06:20:22 - (000007) CWD /upload/ >[6] Tue 04Feb03 06:20:22 - (000007) 550 /upload: No such file or directory. >[5] Tue 04Feb03 06:20:22 - (000007) Closing connection for user ANONYMOUS >(00:00:02 connected) >[5] Tue 04Feb03 07:18:07 - (000008) Connected to 196.1.95.197 (Local >address 192.168.1.9) >[6] Tue 04Feb03 07:18:07 - (000008) 220 Serv-U FTP-Server v2.5f for WinSock >ready... >[5] Tue 04Feb03 07:18:07 - (000008) Closing connection >[1] Tue 04Feb03 10:06:39 - FTP server going down... >[1] Tue 04Feb03 10:16:03 - Starting FTP Server... (Version 2.5f (32-bit)) >[5] Tue 04Feb03 10:21:20 - (000001) Connected to 203.198.145.93 (Local >address 192.168.1.9) >[6] Tue 04Feb03 10:21:20 - (000001) 220 Serv-U FTP-Server v2.5f for WinSock >ready... >[5] Tue 04Feb03 10:21:20 - (000001) IP-Name: MAIL.HYPRINT.COM >[2] Tue 04Feb03 10:21:21 - (000001) USER anonymous >[6] Tue 04Feb03 10:21:21 - (000001) 331 User name okay, please send >complete E-mail address as password. >[2] Tue 04Feb03 10:21:21 - (000001) PASS anoat_private >[5] Tue 04Feb03 10:21:21 - (000001) ANONYMOUS logged in, password: >ANOat_private >[6] Tue 04Feb03 10:21:21 - (000001) 230 User logged in, proceed. >[2] Tue 04Feb03 10:21:22 - (000001) TYPE I >[6] Tue 04Feb03 10:21:22 - (000001) 200 Type set to I. >[2] Tue 04Feb03 10:21:22 - (000001) STRU F >[6] Tue 04Feb03 10:21:22 - (000001) 200 STRU F ok. >[2] Tue 04Feb03 10:21:22 - (000001) MODE S >[6] Tue 04Feb03 10:21:22 - (000001) 200 MODE S ok. >[2] Tue 04Feb03 10:21:23 - (000001) REST 0 >[6] Tue 04Feb03 10:21:23 - (000001) 350 Restarting at 0 - send STORE or >RETRIEVE to initiate transfer. >[2] Tue 04Feb03 10:21:23 - (000001) REST 1 >[6] Tue 04Feb03 10:21:23 - (000001) 350 Restarting at 1 - send STORE or >RETRIEVE to initiate transfer. >[2] Tue 04Feb03 10:21:24 - (000001) REST 0 >[6] Tue 04Feb03 10:21:24 - (000001) 350 Restarting at 0 - send STORE or >RETRIEVE to initiate transfer. >[2] Tue 04Feb03 10:21:24 - (000001) SYST >[6] Tue 04Feb03 10:21:24 - (000001) 215 UNIX Type: L8 >[2] Tue 04Feb03 10:21:25 - (000001) PASV >[6] Tue 04Feb03 10:21:25 - (000001) 227 Entering Passive Mode >(192,168,1,9,4,14) >[5] Tue 04Feb03 10:22:06 - (000001) Closing connection for user ANONYMOUS >(00:00:46 connected) A cursory investigation noted that the 'probe' (allegedly from mail.hyprint.com) came from a machine that thinks it's mail.hyprint.com.hk (seemingly no connection to hyprint.com who have a very different MX config) I might, at a push, believe this is a new user with a very open box, except, the box seems to be a W2K advanced server with M$ Exchange 2000 and DNS set up (alongside, RAdmin, ServUFTP 2.5j etc etc.) all running (apparently) behind a Linksys router (ip +8080). Anyway - there's the heads up. :) _________________________________________________________________ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Feb 04 2003 - 15:01:08 PST