Security Incidents mailing list archives
Re: Strange FTP traffic...
From: Abe Getchell <agetchel () KDE STATE KY US>
Date: Fri, 29 Sep 2000 09:36:24 -0400
Hi Sean, Chances are it's exactly as you said, a scan to check for a world writable incoming dir. We see these hack attempts all the time on our various FTP servers, and generally isn't a problem... unless you have a world writable incoming dir. =) While I've never seen these exact commands being thrown at the FTP server, chances are the SK is using some kind of script that randomizes the file and directory names it's trying to create. Seen plenty of that. Check other FTP servers in on your subnet for the same type of hack, and if there are any, see if there is any pattern to the file and dir names being created (or attempting to be created). Thanks, Abe Abe L. Getchell - Security Engineer Division of System Support Services Kentucky Department of Education Voice 502-564-2020x225 E-mail agetchel () kde state ky us Web http://www.kde.state.ky.us/
-----Original Message----- From: Sean Sosik-Hamor [mailto:ssh () SHN NU] Sent: Thursday, September 28, 2000 3:34 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Strange FTP traffic... I had some strange FTP traffic a week or two ago and I'm just now getting around to remember to post it. ;) Is anyone familiar with this scan? Just looks like a check for a world writable incoming. I need to clear out the WaReZ puppies and VCD couriers every once in a while on this server, is this how they're finding me? Sep 18 22:38:39 wind ftpd[19573]: mkdir incoming/. 36122218p Sep 18 22:39:05 wind ftpd[8498]: mkdir incoming/. 1122218p Sep 18 22:40:40 wind ftpd[14735]: mkdir incoming/.MaD/ Sep 23 02:46:04 wind ftpd[31482]: mkdir incoming/. MaD Sep 25 11:14:08 wind ftpd[4647]: mkdir incoming/.000925171453p Sep 25 11:14:08 wind ftpd[4647]: rmdir incoming/.000925171453p Sep 25 11:14:08 wind ftpd[8516]: mkdir incoming/.000925171454p Sep 25 11:14:09 wind ftpd[8516]: rmdir incoming/.000925171454p There are no other strange log entries... -- . / s t a n l e y / l o o k e d / q u i t e / b o r e d / a n d / s o m e w h a t / d e t a c h e d , b u t / t h e n / p e n g u i n s / o f t e n / d o / . ssh () shn nu . / / . http://projects.shn.nu/sean/ . /
Current thread:
- Strange FTP traffic... Sean Sosik-Hamor (Sep 28)
- Re: Strange FTP traffic... Helmut Springer (Sep 29)
- <Possible follow-ups>
- Re: Strange FTP traffic... Abe Getchell (Sep 29)