Security Incidents mailing list archives
Wu-ftpd 2.6.2
From: "Costas Karafasoulis" <karafas () mail ariadne-t gr>
Date: Fri, 19 Apr 2002 08:44:00 +0300
I got a response from the wu-ftpd development teem. It seems that it was a false alarm, so I have attached an ascii log of the attack. A little history of the compromised system: - At the beginning it was a default installation of R7.2 running wu-ftpd 2.6.1 - 15 days ago it was hacked through wu-ftpd 2.6.1 and the attacker patched the system to wu-ftpd 2.6.2 (he had transferred his binary files for wu-ftpd 2.6.2, so I can not be definitely sure that this is the original version) - After that, several autorooters visited the system, checked the version and left except this last attack which was quite persistent. In addition the attacker kept using his exploiting tool to enter the system, besides the use of his backdoors, Which gives an impression of testing the exploiting script Wondering if this is an attack to previously rooted systems .. Thanks, Costas ---------------------------- Costas Karafasoulis Internet Systematics Lab, Honeynet Project NCSR Demokritos http://www.honeynet.gr
Attachment:
logs.zip
Description:
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Wu-ftpd 2.6.2 Costas Karafasoulis (Apr 19)
- Re: Wu-ftpd 2.6.2 Przemyslaw Frasunek (Apr 19)