Security Incidents mailing list archives

RE: wu-ftpd attack ???

From: "Aaron Lewis" <jim () jsw4 net>
Date: Tue, 26 Nov 2002 15:22:42 -0500

Apologies, After some trial and error, the current syntax being used to
collect traffic is

tcpdump  -nvvX -s 1500 -w  /var/log/ftpdump 'port 20 or 21' &

I'll supply the results after the next attack of substantial event. For
everyone who's interested please provide me with a valid e-mail and I'll
communicate directly as I do not wish to post explicit data to the list.

-----Original Message-----
From: Aaron Lewis [mailto:jim () jsw4 net]
Sent: Tuesday, November 26, 2002 9:19 AM
To: 'OTERO Hernan Gustavo EDS'; fygrave () tigerteam net
Cc: incidents () securityfocus com; da () securityfocus com
Subject: RE: wu-ftpd attack ???


Ok. In efforts to find out what went on here, I have taken down some of the
security features recently implemented and restarted tcpdump with
tcpdump -nvv -s 1500 -w 'port 20 or 21' > /var/log/ftpdump &


I have copied this to the people who have asked for more information. I'd
rather deal with a few individuals directly than splatter this all over the
list. As soon as I have another incident I will post the dump results

Thanks



-----Original Message-----
From: OTERO Hernan Gustavo EDS [mailto:bazhgo () techint net]
Sent: Tuesday, November 26, 2002 7:04 AM
To: 'aaron () jsw4 net'
Subject: wu-ftpd attack ???


Could you sendme the tcpdump ( and the command that you run to make the dump
ie, tcpdump -nvv -s 1500 -w blablabla or any other )?



Thanks,
        Hernán Otero
Information Security Analyst

I'm experiencing a situation where wu-ftpd wu-ftpd-2.6.1-20 on Red Hat 7.2

2.4.18-18.7.x >is

getting broken by some specific type of scan (I think). When this happens,

wu-ftpd just stops

responding to connection requests but port 21 is still listening according

to netstat

-anl. I restart xinetd and all is well.

Now, what I have managed to catch in the logs, just before the server

stops, are several >connections

(or a scan) from a specific IP address to multiple virt hosts on my server.

There

is NO annon ftp and there are NO shell accounts. If someone is interested

in the tcp dump

for the FTP traffic during this, let me know. Other than that there is

nothing suspicious

in the logs.

Can someone tell me what might be going on please...

Aaron Lewis
JSW4.NET
aaron () jsw4 net

---------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: wu-ftpd attack ??? Aaron Lewis (Nov 26)
- RE: wu-ftpd attack ??? Aaron Lewis (Nov 26)
- <Possible follow-ups>
- wu-ftpd attack ??? Aaron D. Lewis (Nov 27)
  - Re: wu-ftpd attack ??? Rodrigo Barbosa (Nov 26)
    - Re: wu-ftpd attack ??? David (Nov 27)