Re: Odd identd behavior

[k levinson <levinson_k () yahoo com>]

220 and 530 messages can be SMTP, or they can be FTP
or something else.  The 220 plus the "crew" banner
would make me want to run a sniffer and/or point an
FTP client at that port to determine whether that's an
FTP banner, associated with FTP tagging / pubstro
activity.  The presence of lots of illegal warez files
such as DVD, games, etc. or much lower free disk space
than normal might also be a clue.

Because of the running process on the system on a
non-standard port, it seems fairly certain that a root
level compromise has occurred.  However, often you
will find FTP pubstro compromises where the
"attackers" have no knowledge or interest in what your
server is or the data on it.  A typical pubstro attack
will be a broad scan and compromise of lots of systems
with financial gain as the motive, with little time
and interest in reconnaisance or discovery of data. 
The ident port has been used in some past documented
pubstros, possibly because the firewall was configured
to allow use of that port in and out.

http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0411&L=security&T=0&F=&S=&P=2356

- karl levinson



                
__________________________________ 
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com