Security Incidents mailing list archives
Re: big increase in ftp scanning
From: Dante Mercurio <Dante () WEBCTI COM>
Date: Wed, 1 Nov 2000 13:26:30 -0500
A recent firewall install pointed out that a customer had been breached FTP on IIS. The person who had installed the NT server had installed IIS 4.0 wide open no patches, and their Internet connection had a static IP map on their router through NAT to this server (Ugggg!). So much for them believing NAT is an end-all to security. Not sure what exploit they used to gain access. The IP's networks listed below match some of the IP's that ended up getting blocked by the firewall. They set up shop on their server, and were hosting .MP3 files from it. Looks like the infiltration happened about 10/16 based on file creation dates and was just found this Monday when we installed a firewall for them. There must have been a link somewhere to this server, because it later received some attempts from AOL dial up accounts, and cornell.edu accounts, and continues to receive blocked FTP attempts two days later. M. Dante Mercurio, CCNA, MCSE+I, TNSP Consulting Services Manager Continental Consulting Group, LLC www.ccgsecurity.com <http://www.ccgsecurity.com> dmercurio () ccgsecurity com <mailto:dmercurio () ccgsecurity com>
-----Original Message----- From: Ian Eure [mailto:ieure () SICKFUCK ORG] Sent: Sunday, October 29, 2000 6:59 PM To: INCIDENTS () SECURITYFOCUS COM Subject: big increase in ftp scanning i've seen a ton of ftp scans in the last week. they have come from: 62.226.217.222 (p3EE2D9DE.dip.t-dialin.net) 64.209.232.25 (isengard.iad4.gctr.net) 62.20.37.140 (basecamp.gotland.se) 24.28.122.195 (cs28122-195.houston.rr.com) 24.162.74.203 (cs16274-203.austin.rr.com) all this has been in the last week. i run wu-ftpd 2.6.0, with a backport of the fix from 2.6.1. high risk, but there's no anonymous account, and no untrusted users have access to ftp. somewhat OT, can someone recommend a more secure ftpd? it seems like almost all of the ftp daemons had (have?) bad security problems. -- ______________________________________________ | "the whole scale of cosmic dimensions are falling from my mouth | in the description of a kiss of the interimlovers" | - einsturzende neubaten, "interim"
Current thread:
- Re: big increase in ftp scanning, (continued)
- Re: big increase in ftp scanning Tuc (Nov 08)
- Re: big increase in ftp scanning Keith Owens (Nov 09)
- Re: big increase in ftp scanning Jan Muenther (Nov 11)
- Re: big increase in ftp scanning Russell Fulton (Nov 13)
- Re: big increase in ftp scanning Andreas Ferber (Nov 14)
- Re: big increase in ftp scanning Jan Muenther (Nov 14)
- Re: big increase in ftp scanning Florian Weimer (Nov 15)
- Re: big increase in ftp scanning Dirk Meyer (Nov 11)
- Re: big increase in ftp scanning Stefan Tomlik (Nov 13)