Security Incidents mailing list archives
Re: Need help. FTP log messages
From: erickbe () YAHOO COM (Erick)
Date: Wed, 5 Jul 2000 21:38:03 -0700
Hi there, The Bay logs aren't that detailed for FTP so from looking over it it appears that someone was seeing what ports were opened or accidentally FTP'd to your router. They have to successfully login as Manager to see/get files however and your packet filter dropped the IP packet eventually and the connection was closed. The FTP Debug error after the IP Packet error is a error from FTP saying it couldn't transmit the buffer that was killed by the packet filter most likely. How is your packet filter setup? (this would possibly explain delay in dropping the FTP session). Also look at the times for other connections like telnet, tftp, etc at around the same time from same IP. And if you don't FTP on this router... disable it. HTH, Erick --- Melissa Lovett <mlovett () WARRIOR MGC PEACHNET EDU> wrote:
The following appeared in the router event log. It appears that someone used FTP to do something, but I can't figure out anything. I have never seen anything like this in the log files before. I traced the address back to the UK. Any ideas? # 316: 07/01/00 04:43:23 DEBUG SLOT 3 GAME Event Code: 77 GID_CB: gate 0x060ea @ 0x3160b3f6 (RD=76678687) - gid_add: ADDING NEW SEGMENT free: head=0x00208 tail=0x00000->0x1ffff/0x002ff (cnt=248) curr: head=0x001c2 tail=0x000f0->0x00000/0x000f0 (cnt=150) next: head=0x00033 tail=0x001c3->0x00000/0x001c3 (cnt=113) # 317: 07/01/00 04:43:29 DEBUG SLOT 3 TCP Event Code: 14 TCP Open req: 16x.xx.xxx.x,21 - 194.117.155.79,4654 TCB: 0x31558260 # 318: 07/01/00 04:43:29 DEBUG SLOT 3 IP Event Code: 38 Interface 16x.xx.xxx.x: TCP port 21 to remote port 4654 allocated # 319: 07/01/00 04:43:29 INFO SLOT 3 TCP Event Code: 6 TCP Opened: 16x.xx.xxx.x,21 - 194.117.155.79,4654 TCB: 0x31558260 # 320: 07/01/00 04:43:33 DEBUG SLOT 3 IP Event Code: 39 Interface 16x.xx.xxx.x: TCP port 21 to remote port 4654 deallocated # 321: 07/01/00 04:46:47 INFO SLOT 3 IP Event Code: 28 IP Traffic Filter - Rule 16, Interface 16x.xx.xxx.x, Circuit 7 (Drop packet) # 322: 07/01/00 04:56:49 INFO SLOT 3 IP Event Code: 0 The previous event on slot 3 repeated 2 time(s). [Code 28] # 323: 07/01/00 04:58:32 DEBUG SLOT 3 FTP Event Code: 55 FTP debug message 827687520 - Error (15) in xmiting tcp buffer to the client. FTP debug message 829054800 - TCP Connection closed.
===== ---------------------/----------------------- Erick B. / http://berk.dhs.org erickbe () yahoo com / CCNP+Security+NetRanger / NNCSS, CCIE-Lab 9/21 SJ -----------------/--------------------------- __________________________________________________ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/
Current thread:
- Re: Need help. FTP log messages Erick (Jul 05)