Vulnerability Development mailing list archives

Re: PORT or PASV mode of IIS 4.0's FTP

From: Dug Song <dugsong () MONKEY ORG>
Date: Thu, 3 Aug 2000 01:38:18 -0400

On Wed, 2 Aug 2000, C. K. Lung wrote:

The ftp client is trying to "get" 15,000 1-K files from the IIS's FTP
server, the connection is killed by FW-1 after it got 100 files.  The
fw-log shows that when the client's "source port" hit a "pre-defined
service (port) in the rulebase, the connection is dropped.  CP
explained that FW-1 thought that it was a security violation.


can you show us the log entry?  or better yet, a traffic trace of the
client up to the connection drop? sounds like a collision in FW-1's
connection state table.

i wonder whether it's really FW-1 doing the dropping, or the FTP server -
in the course of testing duke's funny technique to determine listening RPC
services on filtered ports, i ran into several FTP servers that would exit
after a certain number of consecutive PASV requests:

        http://www.monkey.org/~dugsong/ftp-rpc-probe.sh

just a guess,

-d.

---
http://www.monkey.org/~dugsong/

Current thread:

PORT or PASV mode of IIS 4.0's FTP C. K. Lung (Aug 02)
- Re: PORT or PASV mode of IIS 4.0's FTP Adam Prato (Aug 02)
  - Re: PORT or PASV mode of IIS 4.0's FTP Adam Prato (Aug 03)
- Re: PORT or PASV mode of IIS 4.0's FTP Dug Song (Aug 03)
- Re: PORT or PASV mode of IIS 4.0's FTP Todd Garrison (Aug 03)
- Re: PORT or PASV mode of IIS 4.0's FTP Makoto Shiotsuki (Aug 08)