Re: Log of attempted exploit

["Leonard S. Dupray Jr." <stealthmode316 () PEOPLEPC COM>]

Stefano "Raistlin" Zanero,
 I have included a old BUGTRAQ List serve email. Might want to make sure
that you are not running the wuftpd 2.6.0

Good Luck
stealthmode316

---------------------------------------------------------------------
Yesterday www.hack.co.za made available yet another format string
stack overwrite exploit for wu-ftpd 2.6.0-*.  I have seen an
increased level of scanning for port 21 in the past 36 hours, no
doubt attributable to this latest SITE EXEC vulnerability.  This
problem is previously addressed by bugtraq id 1387 and CERT/CC
CA-2000-13 http://www.cert.org/advisories/CA-2000-13.html

The new tool (wu-lnx.c) in the lab against Mandrake 7.1 and RH 6.0
shows limited success as well as 100% effectiveness against RH 6.2.
Version 2.6.1 does not appear vulnerable.

A preliminary scrub of the code and traces indicated that user data
supplied via the PASS command is stuffed with shellcode and a SITE
EXEC then overwrites a stack pointer to call it.

The following is an entry left in /var/log/messages on the target
box.  Note the last line.

Sep 28 02:46:25 drteeth ftpd[14989]: ANONYMOUS FTP LOGIN FROM
grover.tester.org [192.168.222.1], 
?


1À1Û1É°FÍ?1À1ÛC?ÙA°?
Í?ëk^1À1ɍ^^A^F^Df¹ÿ^A°'Í?1À^^A°=Í?1À1ۍ^^H?C^B1ÉþÉ1À^^
H°^LÍ?þÉuó1À^F^I^^H°=Í?þ^N°0þÈ^F^D1À^F^G?v^H?F^L?óN^H
V^L°^KÍ?1À1Û°^AÍ?èÿÿÿ0bin0sh1..11

As the parent service (inetd) is not affected, here may be no
external indication that a site has been attacked.  Additionally,
this is not a buffer overflow, and no process will exit unexpectedly.
Ndiff and similar techniques will fail to detect any changes in the
status of listening inet ports on exploited systems.  This is another
incarnation of a very serious vulnerability.  If you are running
wu-ftpd 2.60-*, it is advised that you upgrade to the 2.6.1 release.

George Bakos
Systems Security Engineer
EWA-IIT
alpinista () bigfoot com
(5526416) ------------------------------------------(Ombruten)


----- Original Message -----
From: "Raistlin" <raist () CTRADE IT>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Friday, November 10, 2000 12:11 PM
Subject: Log of attempted exploit


> It didn't succeed, but I'm curious in regard of which kind of attempt was
> this.
>
> Hoping it can be of any help:
>
> Nov  6 15:57:36 [hostname] ftpd[13728]: ANONYMOUS FTP LOGIN FROM
> sms.shopus.net [194.100.6.100],

>

>

>
1À1Û1É°FÍ?1À1ÛC?ÙA°?Í?ëk^1À1ɍ^^A^F^Df¹ÿ^A°'Í?1À^^A°=Í?1À1ۍ^^H?C
>
^B1ÉþÉ1À^^H°^LÍ?þÉuó1À^F^I^^H°=Í?þ^N°0þÈ^F^D1À^F^G?v^H?F^L?óN^HV^L°^KÍ?1
> À1Û°^AÍ?èÿÿÿ0bin0sh1..11
> Nov  6 15:57:46 [hostname] ftpd[13735]: ANONYMOUS FTP LOGIN FROM
> sms.shopus.net [194.100.6.100],

>

>

>

>
1À1Û1É°FÍ?1À1ÛC?ÙA°?Í?ëk^1À1ɍ^^A
>
^F^Df¹ÿ^A°'Í?1À^^A°=Í?1À1ۍ^^H?C^B1ÉþÉ1À^^H°^LÍ?þÉuó1À^F^I^^H°=Í?þ^N°0þÈ^
> F^D1À^F^G?v^H?F^L?óN^HV^L°^KÍ?1À1Û°^AÍ?èÿÿÿ0bin0sh1..11
>
> Where [hostname] stands for the local machine, obviously.
>
> Stefano "Raistlin" Zanero
> public PGP key block at http://gioco.net/pgpkeys