Security Incidents mailing list archives
Re: New or old FTP exploit?
From: Bruce Dang <xfrog98 () YAHOO COM>
Date: Wed, 9 Aug 2000 23:10:36 -0700
Kent, The scans you are getting are scans for wuftpd 2.6(1) (and others) remote overflow. There is a scanner that scans IPs in a text file, and looking @ the banner and figuring out what OS the remote victim is running. Typically, it will check for REDHAT, (like Feb 28 or something, i dun remember). And if the date is correct, they will output BOX VULN, and there goes another r00t ;>. This is fairly old, like a couple months. Just watch out. There are private wuftpd exploits that does not req. you to know the remote OS or nething. Have fun. Cheers, Bruce ----- Original Message ----- From: "Kent Engström" <kent () UNIT LIU SE> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Monday, August 07, 2000 10:17 AM Subject: New or old FTP exploit?
Our /16 has been scanned at least two times from different foreign addresses during the last weeks with an exploit that seems to be the same. On both occasions, the connections are to port 21 with the would-be intruder trying to log in as "USER ftp" and "PASS long-string-with-nops-and-shellcode-in-it". From one of our users, I got the following log saved by sniffit:USER ftp USER ftp PASS
1À1Û1É°FÍ?1À1ÛC?ÙA°?Í?ëk^1À1É^^ Ff¹ÿÿ°'Í?1À^°=Í?1À1Û^?C1ÉþÉ1À^° Í?þÉuó1À^F ^°=Í?þ°0þÈ^F1À^F?v?F ?óNV ° Í?1À1Û°Í?èÿÿÿÿÿÿ0bin0sh1..11
PASS
1À1Û1É°FÍ?1À1ÛC?ÙA°?Í?ëk^1À1É^^ Ff¹ÿÿ°'Í?1À^°=Í?1À1Û^?C1ÉþÉ1À^° Í?þÉuó1À^F ^°=Í?þ°0þÈ^F1À^F?v?F ?óNV ° Í?1À1Û°Í?èÿÿÿÿÿÿ0bin0sh1..11
Another user sent me this:Jul 22 05:47:16 yyyyy ftpd[11650]: ANONYMOUS FTP LOGIN FROM
xxxxxxxxxxxxxxxxxxxx [xxx.xxx.xx.xx],
1À1Û1É°FÍ?1À1ÛC?ÙA°?Í?ëk^1À1É^^A ^F^Df¹ÿ^A°'Í?1À^^A°=Í?1À1Û^^H?C^B1ÉþÉ1À^^H°^LÍ?þÉuó1À^F^I^^H°=Í?þ^N°0þÈ^ F^D1À^F^G?v^H?F^L?óN^HV^L°^KÍ?1À1Û°^AÍ?èÿÿÿ0bin0sh1..11
Jul 22 05:47:27 yyyyy ftpd[11650]: FTP session closed Jul 22 07:48:13Could somebody please tell me if this is an old exploit for some FTP deamon, or a new exploit? We have seen attacks coming from: 200.255.45.90 ppp50.cruiser.com.br 212.69.228.245 Legend Internet Ltd -- Kent Engström, Linköping University Incident Response Team kent () unit liu se abuse () liu se +46 13 28 1744 UNIT, Linköping University; SE-581 83 LINKÖPING; SWEDEN
__________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
Current thread:
- New or old FTP exploit? Kent Engström (Aug 07)
- Re: New or old FTP exploit? Przemyslaw Frasunek (Aug 09)
- Re: New or old FTP exploit? Fredrik Ostergren (Aug 10)
- Re: New or old FTP exploit? Bruce Dang (Aug 10)