Vulnerability Development mailing list archives
Re: PORT or PASV mode of IIS 4.0's FTP
From: Dug Song <dugsong () MONKEY ORG>
Date: Thu, 3 Aug 2000 01:38:18 -0400
On Wed, 2 Aug 2000, C. K. Lung wrote:
The ftp client is trying to "get" 15,000 1-K files from the IIS's FTP server, the connection is killed by FW-1 after it got 100 files. The fw-log shows that when the client's "source port" hit a "pre-defined service (port) in the rulebase, the connection is dropped. CP explained that FW-1 thought that it was a security violation.
can you show us the log entry? or better yet, a traffic trace of the client up to the connection drop? sounds like a collision in FW-1's connection state table. i wonder whether it's really FW-1 doing the dropping, or the FTP server - in the course of testing duke's funny technique to determine listening RPC services on filtered ports, i ran into several FTP servers that would exit after a certain number of consecutive PASV requests: http://www.monkey.org/~dugsong/ftp-rpc-probe.sh just a guess, -d. --- http://www.monkey.org/~dugsong/
Current thread:
- PORT or PASV mode of IIS 4.0's FTP C. K. Lung (Aug 02)
- Re: PORT or PASV mode of IIS 4.0's FTP Adam Prato (Aug 02)
- Re: PORT or PASV mode of IIS 4.0's FTP Adam Prato (Aug 03)
- Re: PORT or PASV mode of IIS 4.0's FTP Dug Song (Aug 03)
- Re: PORT or PASV mode of IIS 4.0's FTP Todd Garrison (Aug 03)
- Re: PORT or PASV mode of IIS 4.0's FTP Makoto Shiotsuki (Aug 08)
- Re: PORT or PASV mode of IIS 4.0's FTP Adam Prato (Aug 02)