Security Incidents mailing list archives
RE: wu-ftpd attack ???
From: "Aaron Lewis" <jim () jsw4 net>
Date: Tue, 26 Nov 2002 15:22:42 -0500
Apologies, After some trial and error, the current syntax being used to collect traffic is tcpdump -nvvX -s 1500 -w /var/log/ftpdump 'port 20 or 21' & I'll supply the results after the next attack of substantial event. For everyone who's interested please provide me with a valid e-mail and I'll communicate directly as I do not wish to post explicit data to the list. -----Original Message----- From: Aaron Lewis [mailto:jim () jsw4 net] Sent: Tuesday, November 26, 2002 9:19 AM To: 'OTERO Hernan Gustavo EDS'; fygrave () tigerteam net Cc: incidents () securityfocus com; da () securityfocus com Subject: RE: wu-ftpd attack ??? Ok. In efforts to find out what went on here, I have taken down some of the security features recently implemented and restarted tcpdump with tcpdump -nvv -s 1500 -w 'port 20 or 21' > /var/log/ftpdump & I have copied this to the people who have asked for more information. I'd rather deal with a few individuals directly than splatter this all over the list. As soon as I have another incident I will post the dump results Thanks -----Original Message----- From: OTERO Hernan Gustavo EDS [mailto:bazhgo () techint net] Sent: Tuesday, November 26, 2002 7:04 AM To: 'aaron () jsw4 net' Subject: wu-ftpd attack ??? Could you sendme the tcpdump ( and the command that you run to make the dump ie, tcpdump -nvv -s 1500 -w blablabla or any other )? Thanks, HernĂ¡n Otero Information Security Analyst
I'm experiencing a situation where wu-ftpd wu-ftpd-2.6.1-20 on Red Hat 7.2
2.4.18-18.7.x >is
getting broken by some specific type of scan (I think). When this happens,
wu-ftpd just stops
responding to connection requests but port 21 is still listening according
to netstat
-anl. I restart xinetd and all is well.
Now, what I have managed to catch in the logs, just before the server
stops, are several >connections
(or a scan) from a specific IP address to multiple virt hosts on my server.
There
is NO annon ftp and there are NO shell accounts. If someone is interested
in the tcp dump
for the FTP traffic during this, let me know. Other than that there is
nothing suspicious
in the logs.
Can someone tell me what might be going on please...
Aaron Lewis JSW4.NET aaron () jsw4 net
---------------------------------------------------------------------------
-
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: wu-ftpd attack ??? Aaron Lewis (Nov 26)
- RE: wu-ftpd attack ??? Aaron Lewis (Nov 26)
- <Possible follow-ups>
- wu-ftpd attack ??? Aaron D. Lewis (Nov 27)
- Re: wu-ftpd attack ??? Rodrigo Barbosa (Nov 26)
- Re: wu-ftpd attack ??? David (Nov 27)
- Re: wu-ftpd attack ??? Rodrigo Barbosa (Nov 26)