Re: Rogue FTP Servers

[Wyman Miles <wm63 () CORNELL EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Tuesday, November 02, 2004 3:16 PM -0500 Justin Azoff
<JAzoff () UAMAIL ALBANY EDU> wrote:

> On Tue, 2004-11-02 at 14:28, Anderson, Brandie wrote:
> > Does the banner say anything about "pubstro"?
>
> I found one that had a banner of:
> 220-FTP SerVeR ReADy
> 220-_______________________________________________
> 220-                      - = ] MadHouse [ = -
> 220-???????????????????????????????????????????????
> 220-         This Stro is Brought You By Divx_due
> 220-                    & Evisu!
> 220-                ____________
> 220-                 User iNFO :
> .....
>
> Does "Stro" mean something in another language?
>
> --
> -- Justin Azoff
> -- Network Performance Analyst

We've seen all manner of different banners and ports.  One banner in
particular was drawn directly from OpenSSH and clearly intended to mimic an
SSH server -- only the '220' at the front was the giveaway.  Ports are
chosen at random and one machine often has several FTP servers present.

About the only consistency we saw recently was the presence of an ident
listener (113/tcp) on botted systems.  Finding this more often than not led
to finding FTP servers on high ports.


Wyman Miles
Senior Security Engineer
Cornell University, Ithaca, NY
(607) 255-8421
-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v3.0
Comment: processed by Mulberry PGP Plugin

iQA/AwUBQYf6I8RE6QfTb3V0EQLvnACg6yAntrx0e9dvZWUBs9rJQ9x1RqsAoJdA
VEu4uSUT05AGyxjHEeuTHBab
=8Wzd
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.