PaulDotCom mailing list archives

Odd FTP traffic

From: Russell.Butturini at Healthways.com (Butturini, Russell)
Date: Tue, 25 May 2010 10:45:29 -0500

Good call, I didn't notice the pattern! I still wonder if it's a buffer overflow because it's actually going to 50 
characters...the IPS is just truncating because I didn't have packet logging turned on at the time.  I'll investigate 
further.  Thanks for the help!

-----Original Message-----
From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Mike 
Patterson
Sent: Tuesday, May 25, 2010 10:10 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Odd FTP traffic

On 2010/05/25 8:43 AM, Butturini, Russell wrote:

Curious if anyone else on the list has seen this.  For the last two days, I am seeing some bizarre looking buffer 
overflow attempts against one of my FTP servers from an IP in Vietnam.  The IPS is catching them as they're 
triggering the FTP PASS Suspicious Length signature.  They don't appear to be happening on regular intervals, which 
makes me doubt automation, but I'm curious if it's some kind of new zero day that's floating around.  If it is 
automated, this isn't the type of thing I've ever seen bots try before.  I've pasted a snippet of the IPS event below 
where the password is being sent.  Anybody else seen this?

a: 0000  61 74 6f 72 0d 0a 50 41  53 53 20 31 71 61 32 77  ator..PASS 1qa2w
Data: 0010  73 33 65 64 34 72 66 35  74 67 36 79 68 37 75 6a  s3ed4rf5tg6yh7uj
Data: 0020  38 69 6b 31 71 61 32 77  73 33 65 64 34 72 66 35  8ik1qa2ws3ed4rf5
Data: 0030  74 67 36 79 68 37 75 6a  38 69 6b 0d 0a           tg6yh7uj8ik..


You may have noticed this, but that password is just sequential
characters from a US English keyboard layout - 1, then drop down to qa,
then 2, drop down to ws, etc.  I know plenty of people who use sequences
like that for default passwords, although to be sure, they don't tend to
go up as high as 8ik.  :-)

Maybe it's just somebody trying for default passwords.

Mike
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


******************************************************************************
This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than 
the named recipient of this email, 
and is to be used only for the intended purpose of this communication.
******************************************************************************

Current thread:

Odd FTP traffic Butturini, Russell (May 25)
- Odd FTP traffic Mike Patterson (May 25)
  - Odd FTP traffic Butturini, Russell (May 25)