Security Incidents mailing list archives
RE: Quick question re FTP activity
From: "darroch royden" <darroch.royden () blueyonder co uk>
Date: Mon, 11 Nov 2002 22:17:43 -0000
Looks like you have been marked as a mirror for chkrootkit and the user was trying to obtain a copy of: www.chkrootkit.org/chkrootkit-poster-a1.pdf I wouldn't worry, but I would disable anon ftp access :) -----Original Message----- From: Timothy M. Lyons [mailto:lyons () digitalvoodoo org] Sent: 10 November 2002 10:21 AM To: incidents () securityfocus com Subject: Quick question re FTP activity I just brought this server online to lessen the stress on my web server, so I have to admit it's been a _long_ time since I ran FTP on anything. Can someone tell me what the user is trying to accomplish from the log excerpt below? --Tim --- "Leave the beaten path and dive into the woods. You are certain to find something interesting." -- Alexander Graham Bell (1847 - 1922) ---begin ftp log--- Nov 9 08:53:15 envoy ftpd[2801]: USER anonymous Nov 9 08:53:16 envoy ftpd[2801]: PASS m () m com Nov 9 08:53:16 envoy ftpd[2801]: ANONYMOUS FTP LOGIN FROM p9.pub.ro [192.129.3.252], m () m com Nov 9 08:53:16 envoy ftpd[2801]: TYPE Image Nov 9 08:53:16 envoy ftpd[2801]: PORT Nov 9 08:53:16 envoy ftpd[2801]: refused PORT 10.0.0.248,1362 from p9.pub.ro [192.129.3.252] Nov 9 08:53:17 envoy ftpd[2801]: PASV Nov 9 08:53:17 envoy ftpd[2801]: SIZE /pub/mirrors/chkrootkit/chkrootkit-poster-a1.pdf Nov 9 08:53:17 envoy ftpd[2801]: REST 0 Nov 9 08:53:17 envoy ftpd[2801]: REST 100 Nov 9 08:53:17 envoy ftpd[2801]: RETR /pub/mirrors/chkrootkit/chkrootkit-poster-a1.pdf Nov 9 08:53:21 envoy ftpd[2801]: ABOR Nov 9 08:53:21 envoy ftpd[2801]: FTP session closed ---end log --- ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Quick question re FTP activity Timothy M. Lyons (Nov 11)
- RE: Quick question re FTP activity darroch royden (Nov 12)