Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Quick question re FTP activity

From: "darroch royden" <darroch.royden () blueyonder co uk>
Date: Mon, 11 Nov 2002 22:17:43 -0000
Looks like you have been marked as a mirror for chkrootkit and the user
was trying to obtain a copy of:
www.chkrootkit.org/chkrootkit-poster-a1.pdf 

I wouldn't worry, but I would disable anon ftp access :)

-----Original Message-----
From: Timothy M. Lyons [mailto:lyons () digitalvoodoo org] 
Sent: 10 November 2002 10:21 AM
To: incidents () securityfocus com
Subject: Quick question re FTP activity


I just brought this server online to lessen the stress on my web server,
so I have to admit it's been a _long_ time since I ran FTP on anything.
Can someone tell me what the user is trying to accomplish from the log
excerpt below?

--Tim

---
"Leave the beaten path and dive into the woods.   
You are certain to find something interesting."
        -- Alexander Graham Bell (1847 - 1922)

---begin ftp log---
Nov  9 08:53:15 envoy ftpd[2801]: USER anonymous
Nov  9 08:53:16 envoy ftpd[2801]: PASS m () m com
Nov  9 08:53:16 envoy ftpd[2801]: ANONYMOUS FTP LOGIN FROM p9.pub.ro
[192.129.3.252], m () m com Nov  9 08:53:16 envoy ftpd[2801]: TYPE Image
Nov  9 08:53:16 envoy ftpd[2801]: PORT Nov  9 08:53:16 envoy ftpd[2801]:
refused PORT 10.0.0.248,1362 from p9.pub.ro [192.129.3.252] Nov  9
08:53:17 envoy ftpd[2801]: PASV Nov  9 08:53:17 envoy ftpd[2801]: SIZE
/pub/mirrors/chkrootkit/chkrootkit-poster-a1.pdf
Nov  9 08:53:17 envoy ftpd[2801]: REST 0
Nov  9 08:53:17 envoy ftpd[2801]: REST 100
Nov  9 08:53:17 envoy ftpd[2801]: RETR
/pub/mirrors/chkrootkit/chkrootkit-poster-a1.pdf
Nov  9 08:53:21 envoy ftpd[2801]: ABOR
Nov  9 08:53:21 envoy ftpd[2801]: FTP session closed
---end log ---





------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: